Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a9dcc2c2df84cc4…

MALICIOUS

PDF

36.7 KB Created: 2021-05-23 21:12:19 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: f7914ef21a68ad06f571a51cad1c3bc5 SHA-1: 2f46bc376546d37607f132672d5c6e2740e55460 SHA-256: 4a9dcc2c2df84cc4a70398f95b0ade9e483b89ca6129bf117585ed79e8d9d08c
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a fake CAPTCHA and a call-to-action to obtain "Free Robux", which is a common lure for phishing or malware distribution. It embeds multiple URLs, including one pointing to a "free robux generator" and others to similarly themed PDF files, suggesting a campaign to trick users into visiting malicious sites or downloading further malicious content. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-no-verification-no-survey-game-hack
    • http://nosocomium.rv.ua/images/get-free-tiktok-followers_GM835599320.pdf
    • http://nosocomium.rv.ua/images/how-to-get-free-robux-without-verification-2021_GM431946152.pdf
    • http://nosocomium.rv.ua/images/minecraft-pe-015-0-apk-free-download_GM479516143.pdf
    • http://nosocomium.rv.ua/images/is-minecraft-free-on-ps4_GM479516143.pdf
    • http://nosocomium.rv.ua/images/free-robux-hack-us_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003407.bin
0b8f18ffd8fdbdc3e7f10a9842e8c79feebcb331b8a676f89175e92965c42b92		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3407 24448 bytes
font_01_sfnt_off00006c1a.bin
71091a6cc5ee2467f7d55b23aad8276d14a961c51a29e0f15aa3bcc69cbd56da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C1A 18892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.