Malicious PDF — malware analysis report

Static analysis result for SHA-256 40c4227869db24ab…

MALICIOUS

PDF

36.7 KB Created: 2021-05-20 13:30:18 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 659744a92804c8ce9328be31fffa31c3 SHA-1: 7bea114c7d7cff4a9506631a3b18144e8ef2be33 SHA-256: 40c4227869db24abaa297a4b5b792d40b26fc0389632ecf77a3a26cdd4f71ddd
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The document displays a fake CAPTCHA, a common lure to trick users into clicking malicious links. The embedded URL and other extracted URLs point to sites offering 'free Robux' or 'Coin Master cheats', reinforcing the phishing pretext. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/games-on-roblox-that-give-you-free-robux-game-hack
    • https://hbln.org.au/images/how-to-use-scripts-in-roblox-hack_GM431946152.pdf
    • https://hbln.org.au/images/free-coin-master-androd-cheats-2021_GM406889139.pdf
    • https://hbln.org.au/images/coin-master-free-coins-link_GM406889139.pdf
    • https://hbln.org.au/images/free-money-and-spins-coin-master_GM406889139.pdf
    • https://hbln.org.au/images/pasos-para-hackear-coins-master_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000032a9.bin
559b3e65777dd1daae60016f4487f3e709584cb63f092f6c52358d3a86e17da2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32A9 25288 bytes
font_01_sfnt_off00006b69.bin
3009583106c638257969d16940e6b1d2d6c9c8cef99a9d3856a451b20885bf07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B69 19240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.