Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c305a3549618659…

MALICIOUS

PDF

40.3 KB Created: 2021-04-23 22:44:44 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: c82ff7d54b27c2d9187dd3ee9f57c9b4 SHA-1: 4097c63e9a82b72cae54e61441acbe34b9fe8279 SHA-256: 1c305a35496186598fc8f95b008e9d564640773e3356deb259ec174b3a8942ad
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document uses a "game hack" lure, impersonating the Facebook brand to trick users into clicking a malicious link. The primary link, https://netsecure.top/app/431946152/easy-hack-on-roblox-game-hack, is identified as a credential phishing or malware download attempt. While no scripts were explicitly extracted, the PDF structure and embedded links suggest a potential for exploiting PDF vulnerabilities or redirecting to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 6

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netsecure.top/app/431946152/easy-hack-on-roblox-game-hack.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netsecure.top/app/431946152/easy-hack-on-roblox-game-hack PDF link annotation
    • https://sitecontabil.com.br/ckfinder/userfiles/files/hack-for-all-games-roblox.pdfIn PDF document text
    • https://sitecontabil.com.br/ckfinder/userfiles/files/commands-for-free-admin-roblox.pdfIn PDF document text
    • https://sitecontabil.com.br/ckfinder/userfiles/files/hack-robux-with-no-gift-card.pdfIn PDF document text
    • https://sitecontabil.com.br/ckfinder/userfiles/files/get-free-robux-on-roblox-with-coputer.pdfIn PDF document text
    • https://sitecontabil.com.br/ckfinder/userfiles/files/roblox-hack-online-generator.pdfIn PDF document text
    • https://sitecontabil.com.br/ckfinder/userfiles/files/how-to-get-free-robux-in-jail-breck.pdfIn PDF document text
    • https://sitecontabil.com.br/ckfinder/userfiles/files/robux-kaufen-free.pdfIn PDF document text
    • https://sitecontabil.com.br/ckfinder/userfiles/files/top-10-free-items-in-roblox.pdfIn PDF document text
    • https://sitecontabil.com.br/ckfinder/userfiles/files/free-coins-roblox.pdfIn PDF document text
    • https://sitecontabil.com.br/ckfinder/userfiles/files/how-to-hack-roblox-accopunt-passowrds.pdfIn PDF document text
    • https://robux-rank.comIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004088.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4088 25504 bytes
SHA-256: 7565222fb3a5807bb8b52d22801d4dae21d74bf0368621172694349aa7986677
font_01_sfnt_off00007b7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7B7E 18360 bytes
SHA-256: c089554008bfa24e7615d1727040cb68e45c167be2a31ddaed069c7b95ba1a1f