Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f350259b8b42876…

MALICIOUS

PDF

41.0 KB Created: 2021-05-20 23:37:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 477de51b7830a7f334981ca162a9402a SHA-1: af0e5812c3c6b4d86c84c877c64cb082d61a657c SHA-256: 2f350259b8b42876e15aaaab465f9841f987a56c205cbcf039eacc17478f69a3
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded links and a lure related to 'free game hacks' and username changes, indicating a phishing or scam attempt. The primary URL, https://netcdn.xyz/app/431946152/how-to-change-roblox-username-for-free-game-hack, is directly associated with a high-severity heuristic firing for a game hack redirect lure. While no scripts were explicitly extracted, the PDF structure and embedded links suggest an attempt to redirect the user to malicious content, likely for credential harvesting or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7508

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-change-roblox-username-for-free-game-hack PDF link annotation
    • http://www.sepl.net.au/uploaded_files/userfiles/files/robux-hack-no-verification_GM431946152.pdfIn PDF document text
    • http://www.sepl.net.au/uploaded_files/userfiles/files/free-private-server-roblox_GM431946152.pdfIn PDF document text
    • http://www.sepl.net.au/uploaded_files/userfiles/files/get-me-free-robux_GM431946152.pdfIn PDF document text
    • http://www.sepl.net.au/uploaded_files/userfiles/files/android-coin-master-hack-2021_GM406889139.pdfIn PDF document text
    • http://www.sepl.net.au/uploaded_files/userfiles/files/minecraft-net-free_GM479516143.pdfIn PDF document text
    • https://direct-link.netIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000032ab.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32AB 27720 bytes
SHA-256: ecee67aa23e2bf962985f51fd7631a8fed4168b27d945c5aff59720f8873adaf
font_01_sfnt_off00007215.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7215 2984 bytes
SHA-256: 889cfc2fd0afa9ea114d6666204c6ce0548d0aae2cba345827d317498c4c06bc
font_02_sfnt_off00007c41.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7C41 19240 bytes
SHA-256: 61006e5f3dddd6435ab0a2755610421e2f864d25a13f3f522a83b1d149be9d74

Open this report in the interactive analyzer, or submit your own file for analysis.