Malicious PDF — malware analysis report

Static analysis result for SHA-256 3945b6af17fb3ce9…

MALICIOUS

PDF

40.5 KB Created: 2021-05-24 06:25:21 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 244bacf6bbff082c6a6d5d2e26c6e874 SHA-1: 0b793af64577dc468643c93de2e9678f0c139132 SHA-256: 3945b6af17fb3ce95a57a8261e336b6178a41c4ab815b15e3c972a5731093ab5
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document uses a 'Free Robux' lure and impersonates Microsoft, indicating a credential phishing or malware distribution attempt. The embedded URI and multiple other URLs point to external resources that likely host malicious content or phishing pages. Although no scripts were directly extracted, the PDF structure and embedded URIs suggest an attempt to redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7768

Heuristics 5

  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.xyz/app/431946152/free-robux-websites-that-actually-work-2021-game-hack.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-websites-that-actually-work-2021-game-hack PDF link annotation
    • http://schottlandfieber.de/images/earn-free-robux-on-roblox_GM431946152.pdfIn PDF document text
    • http://schottlandfieber.de/images/free-roblox-usernames-and-passwords_GM431946152.pdfIn PDF document text
    • http://schottlandfieber.de/images/coin-master-free-coins-link_GM406889139.pdfIn PDF document text
    • http://schottlandfieber.de/images/how-do-you-get-free-robux-without-doing-anything_GM431946152.pdfIn PDF document text
    • http://schottlandfieber.de/images/free-robux-obby_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000033e9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33E9 26860 bytes
SHA-256: 397021cdc6eac7f4dbdff5c6e5e58c64a2a17193062f1e692ab250a4fbecf4b2
font_01_sfnt_off00006f1c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6F1C 2820 bytes
SHA-256: d88f25cfe237a714f996150a11dd8a058f0f7c3e9d1ae91c17b46c10409b6c0b
font_02_sfnt_off000078b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x78B7 19656 bytes
SHA-256: 7b3ca8e33f6ab65cae0b12a773bae5d0e0377a7b1030ef9ec14be3c3cdd71d54