Malicious PDF — malware analysis report

Static analysis result for SHA-256 672e09f852e78908…

MALICIOUS

PDF

32.7 KB Created: 2021-07-19 06:02:35 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2026-06-04
MD5: 5d2392a9d06d0ff83fe156623d9c04d1 SHA-1: 50752a55fab06b4a6ba78aebf8d7da44a71c3e96 SHA-256: 672e09f852e789089f170091cae40d8cc8e01a660b8c8de54f02d7c27b8b5372
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains lures for free Robux and game hacks, directing users to a malicious URL. The heuristic 'PDF_MALICIOUS_REDIRECTOR_LINK' confirms this URL is associated with malicious redirector infrastructure. While no scripts were explicitly extracted, the document body contains embedded URLs that are likely intended to download and execute further malicious content, aligning with a common phishing or malware distribution tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9900

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/robloxmatch.com-free-robux-game-hack In PDF document text
    • https://pythonbikers.de/images/minecraft-free-download-windows-10_GM479516143.pdfIn PDF document text
    • https://pythonbikers.de/images/roblox-hacks-2021_GM431946152.pdfIn PDF document text
    • https://pythonbikers.de/images/how-to-hack-a-minecraft-server_GM479516143.pdfIn PDF document text
    • https://pythonbikers.de/images/how-to-get-free-tiktok-followers-without-human-verification_GM835599320.pdfIn PDF document text
    • https://pythonbikers.de/images/free-robux-working_GM431946152.pdfIn PDF document text
    • https://pythonbikers.de/images/roblox-hack-game_GM431946152.pdfIn PDF document text
    • https://pythonbikers.de/images/tiktok-viewer-free_GM835599320.pdfIn PDF document text
    • https://pythonbikers.de/images/minecraft-dungeons-free_GM479516143.pdfIn PDF document text
    • https://pythonbikers.de/images/free-robux-codes-2021_GM431946152.pdfIn PDF document text
    • https://pythonbikers.de/images/minecraft-education-edition-free_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000295c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x295C 22420 bytes
SHA-256: 8af4f32b096177c3ed5de636554ae23824eee9296421922b67de9b7a16537ff9
font_01_sfnt_off00005b9a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5B9A 19100 bytes
SHA-256: 320d93f3b8ec418dafe56a0ab761e37d2656ce3fae295c57a773b93fd475c835