Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ccdb9f1d66f4bb5…

MALICIOUS

PDF

37.2 KB Created: 2021-05-11 18:36:46 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 9f126d1d5b7ed35eb16e108ed19bc7c3 SHA-1: fa8a0ef3c08a1448f7d3370198d9c8634be5b08e SHA-256: 1ccdb9f1d66f4bb53cdb0772788c308bb58681f6a833ff48b2bc66a898e46579
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1071.001 Web Protocols

The PDF document contains a high-severity heuristic indicating it's a 'GAME_HACK_REDIRECT_LURE' and a 'BRAND_CREDENTIAL_PHISH' impersonating Microsoft. The embedded link, https://netcdn.xyz/app/431946152/free-roblox-executor-game-hack, is presented as a 'free Roblox executor' or 'generator', a common lure for malicious downloads or phishing. While no scripts were explicitly extracted, the nature of the lure and the embedded URLs suggest an attempt to trick the user into downloading a malicious payload or providing credentials.

Machine Learning

  • Nyx PDF Classifier clean score 0.0460

Heuristics 5

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.xyz/app/431946152/free-roblox-executor-game-hack.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-roblox-executor-game-hack PDF link annotation
    • https://chiemsee-simssee-h-boot.de/images/roblox-cheat-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000357e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x357E 25172 bytes
SHA-256: c699308a0386efbfa84820b70ad0731ca66387b1364c2a5eb041dc54f628db56
font_01_sfnt_off0000701b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x701B 18192 bytes
SHA-256: aee71e4758d3f369cf1e3ec5c54acee68a6a8a95a34d59606e1594aaec7d96dc

Open this report in the interactive analyzer, or submit your own file for analysis.