Malicious PDF — malware analysis report

Static analysis result for SHA-256 76d316501715d34b…

MALICIOUS

PDF

40.5 KB Created: 2021-05-20 14:07:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-18
MD5: a85bfe58cafa3c54126a9297fe775be1 SHA-1: 80863e13c508b23ffd0db0eaf677f74d41fc8568 SHA-256: 76d316501715d34bd4edd4d86443b0e8cd01e75e4222edcded04354a4bcd6ba0
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a heuristic firing for a 'free generator / game hack' lure, which is associated with a fake CAPTCHA prompt. This suggests the document's primary purpose is to trick users into clicking malicious links. The embedded URLs point to sites offering 'free Robux' or game hacks, common pretexts for phishing or malware distribution. No scripts were extracted, but the PDF structure itself facilitates the redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7768

Heuristics 5

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-hack-no-verification-game-hack PDF link annotation
    • https://www.mahabircreation.com/uploaded_files/userfiles/files/free-robux-app-real_GM431946152.pdfIn PDF document text
    • https://www.mahabircreation.com/uploaded_files/userfiles/files/roblox40com-robux_GM431946152.pdfIn PDF document text
    • https://www.mahabircreation.com/uploaded_files/userfiles/files/coin-master-free-cards_GM406889139.pdfIn PDF document text
    • https://www.mahabircreation.com/uploaded_files/userfiles/files/chisel-and-bits-mod-pe_GM479516143.pdfIn PDF document text
    • https://www.mahabircreation.com/uploaded_files/userfiles/files/free-spins-on-coin-master-game_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003438.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3438 26980 bytes
SHA-256: 053ae3861366be2adde10f59642dd44fa63c6c2f8662c82b265e9d9e2cde0ed2
font_01_sfnt_off000070c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70C0 3084 bytes
SHA-256: 4889dc98a6bfd3c9244583f92387be58625a91e7a969778ad35ada89b27ed636
font_02_sfnt_off00007b66.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7B66 18772 bytes
SHA-256: 87cd01898e0c435f6b8e3fdf3db31fb3453f40f32176463e71dafc861d9bd3f7

Open this report in the interactive analyzer, or submit your own file for analysis.