Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c23a98477821aa0…

MALICIOUS

PDF

35.0 KB Created: 2021-05-23 23:35:59 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 5a61b5383fd5dbf165cc8adb92e7c211 SHA-1: 44b9d0fc1e862c7ccc19e107296c0ef3a61f37e2 SHA-256: 3c23a98477821aa0c45304fd6982f1bb6eaa24b2dbad0ea9cf211d8998b991c0
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The sample is a PDF document that contains a fake CAPTCHA lure and a call-to-action button, aiming to trick users into clicking a malicious URL. The embedded URL and other URLs found within the document point to sites offering 'free Robux' or game hacks, which are common pretexts for malware distribution. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9648

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-codes-2021-game-hack
    • http://www.fanciullovito.it/images/how-do-you-earn-free-coins-for-coin-master_GM406889139.pdf
    • http://www.fanciullovito.it/images/coin-master-32-mod-hack-apk-download_GM406889139.pdf
    • http://www.fanciullovito.it/images/daily-coin-master-link_GM406889139.pdf
    • http://www.fanciullovito.it/images/is-there-a-free-version-of-minecraft_GM479516143.pdf
    • http://www.fanciullovito.it/images/how-to-get-creative-mode-in-minecraft-server-hack_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003002.bin
88b4db0387367ed6683084a27c5977f405a1db4dd90d59ca3753cc85764b548a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3002 23788 bytes
font_01_sfnt_off00006617.bin
0c0011b59677f21f59199ad7d2a82948105ed154610022cedcbab6f052c91d55		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6617 18588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.