Malicious PDF — malware analysis report

Static analysis result for SHA-256 44536fec2f137172…

MALICIOUS

PDF

41.0 KB Created: 2021-05-25 10:30:27 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-15
MD5: a343ec3b738bc3ef2bae6a2e77793047 SHA-1: dfc56b5fd3054648ad2c688b97bac9e919c75a26 SHA-256: 44536fec2f137172c3e3178dfacc5f02f1946af1b914fa3744680f49bfe61dc0
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a fake CAPTCHA and a call-to-action button, impersonating Apple to lure users into clicking a link for 'free Robux'. The primary malicious URL, https://netcdn.xyz/app/431946152/how-to-get-free-robux-on-mobile-game-hack, is associated with credential phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and embedded links suggest an attempt to exploit user interaction for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7508

Heuristics 5

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.xyz/app/431946152/how-to-get-free-robux-on-mobile-game-hack.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-get-free-robux-on-mobile-game-hack PDF link annotation
    • https://www.belgium-archery.be/images/more-robux_GM431946152.pdfIn PDF document text
    • https://www.belgium-archery.be/images/coin-master-free-spins-glitch_GM406889139.pdfIn PDF document text
    • https://www.belgium-archery.be/images/pokemon-go-free-083_GM1094591345.pdfIn PDF document text
    • https://www.belgium-archery.be/images/get-free-spins-coin-master-october-2021_GM406889139.pdfIn PDF document text
    • https://www.belgium-archery.be/images/free-coins_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000337e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x337E 27084 bytes
SHA-256: bcdda591e6a175ff40eacfe73e6b6fcf5022a9b62bd29bcb38aa8ac0cf7c00f4
font_01_sfnt_off000070a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70A3 5696 bytes
SHA-256: 450e3ee45915afe13702bf1d587eb8b9ad88a8d2113419ac9f2fd116a828e139
font_02_sfnt_off00007db4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7DB4 18672 bytes
SHA-256: 54aa4755d3d4fcbd00d11f20b69d4376192dec0a97bdc1376cf216d73564a968

Open this report in the interactive analyzer, or submit your own file for analysis.