Malicious PDF — malware analysis report

Static analysis result for SHA-256 30b56d5a846bf69a…

MALICIOUS

PDF

36.6 KB Created: 2021-05-20 20:08:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: eb1d7321cf770cbc9fd2331c9fb0135a SHA-1: fb5f02eebf224b1692b318f584fa89b9e3888e1d SHA-256: 30b56d5a846bf69a4766a60597e34323ed80b4527505dc03fed76e508654883d
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a fake CAPTCHA lure and embedded URLs pointing to sites offering 'free Robux', indicating a phishing or scam attempt. The presence of external URIs and the ML classifier's high confidence score suggest malicious intent. While no scripts were explicitly extracted, the document structure and embedded URIs are indicative of a malicious PDF designed to trick users into downloading further malware or visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 5

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/rbx-gg-free-robux-game-hack
    • http://feuerwehr-rheinau.de/images/free-robux-com_GM431946152.pdf
    • http://feuerwehr-rheinau.de/images/how-to-hack-roblox-accounts-2021_GM431946152.pdf
    • http://feuerwehr-rheinau.de/images/coin-mster-free_GM406889139.pdf
    • http://feuerwehr-rheinau.de/images/minecraft-free-download-iphone_GM479516143.pdf
    • http://feuerwehr-rheinau.de/images/coin-master-hack-android-no-root_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000033f1.bin
b4c0a01f0ed63c3b5e3f1de2b7c668d054abb9fbc8f7a7359384e4e01b204a8e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33F1 24968 bytes
font_01_sfnt_off00006d9d.bin
d1ad45f5b083d36c6ec4c124be04f92537ae8dd31535970cb7662339535ad89d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D9D 18304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.