PDF malware analysis — malicious · 3e7b8a127f879450

MALICIOUS

PDF

53.8 KB Created: 2021-06-02 16:20:15 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)

MD5: eaa082405429bca83ac1f040f593b6e9 SHA-1: 7100ad6ab416ee184af75377afd24194df3793db SHA-256: 3e7b8a127f879450a5647427376dbd71f06380dec48d130868216c319fdda5a0

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF document contains an embedded URL and text that lures the user with promises of free Robux and game hacks, indicative of an advance-fee scam. The ML classifier also flagged the document as malicious. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the lure suggest an attempt to redirect the user to a malicious site, likely for further exploitation or credential harvesting.

Machine Learning

Nyx PDF Classifier malicious score 0.9636

Heuristics 4

Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://netcdn.xyz/app/431946152/redeem-codes-to-get-free-robux-game-hack
- http://paro.net.ua/images/coinmaster-free-cards_GM406889139.pdf
- http://paro.net.ua/images/how-to-get-free-roblox-hair_GM431946152.pdf
- http://paro.net.ua/images/free-robux-gift-card-codes-2021_GM431946152.pdf
- http://paro.net.ua/images/minecraft-free-version-pc_GM479516143.pdf
- http://paro.net.ua/images/static-moonactive-net_GM406889139.pdf
- http://paro.net.ua/images/minecraft-fly-hack_GM479516143.pdf
- http://paro.net.ua/images/earn-free-robux-today_GM431946152.pdf
- http://paro.net.ua/images/coin-master-hack-for-android_GM406889139.pdf
- http://paro.net.ua/images/daily-free-spins-coin-master_GM406889139.pdf
- http://paro.net.ua/images/coin-master-free-spins-link-2021_GM406889139.pdf
- http://paro.net.ua/images/coin-master-free-spins-and-coins-today-gift-reward_GM406889139.pdf
- http://paro.net.ua/images/how-can-i-get-robux_GM431946152.pdf
- http://paro.net.ua/images/microsoft-bing-free-robux_GM431946152.pdf
- http://paro.net.ua/images/how-to-get-free-robux-no-human-verification_GM431946152.pdf
- http://paro.net.ua/images/free-robux-co_GM431946152.pdf
- http://paro.net.ua/images/codes-to-get-free-robux_GM431946152.pdf
- http://paro.net.ua/images/free-robux-2021_GM431946152.pdf
- http://paro.net.ua/images/how-to-hack-a-roblox-account-2021_GM431946152.pdf
- http://paro.net.ua/images/how-to-get-minecoins-in-minecraft-for-free_GM479516143.pdf
- http://paro.net.ua/images/free-ways-to-get-robux_GM431946152.pdf
- http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off000050d8.bin` `d3b6439a54f1d059253c7c9c35a4304d12c19ed45f098c0e8559f503e2d259d8`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x50D8	36928 bytes
`font_01_sfnt_off0000a23e.bin` `450e3ee45915afe13702bf1d587eb8b9ad88a8d2113419ac9f2fd116a828e139`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA23E	5696 bytes
`font_02_sfnt_off0000af50.bin` `471fec02b64450551b06943b69791c4ef1c5aeca2df60e7d968f7a4f38ff496c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAF50	18552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.