Malicious PDF — malware analysis report

Static analysis result for SHA-256 7934bb9c25bfe2a8…

MALICIOUS

PDF

42.3 KB Created: 2021-05-12 06:00:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 58560c1d9b0c5090b95d412369b0f162 SHA-1: dbf6b2d4a9bdebf20b08a20c153c431409fd05f0 SHA-256: 7934bb9c25bfe2a8732c6491b103355408627eb74a50228cf500f5d0d5b9cd6c
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The document presents a fake CAPTCHA and a call-to-action to download 'free Robux', which is a common lure for malicious downloads. The embedded URLs point to suspicious domains, and the ML classifier strongly flagged this PDF as malicious. The primary goal appears to be tricking the user into downloading a second-stage payload via the provided links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-net-game-hack
    • http://firesafetyservices.biz/images/minecraft-hack-download_GM479516143.pdf
    • http://firesafetyservices.biz/images/coin-master-links-to-free-spins_GM406889139.pdf
    • http://firesafetyservices.biz/images/free-robux-gift-card-codes_GM431946152.pdf
    • http://firesafetyservices.biz/images/where-can-i-get-free-spins-for-coin-master_GM406889139.pdf
    • http://firesafetyservices.biz/images/roblox-free-robux-no-human-verification_GM431946152.pdf
    • http://firesafetyservices.biz/images/coin-master-free-spin-link-app_GM406889139.pdf
    • http://firesafetyservices.biz/images/coin-master-free-spins-blogspot_GM406889139.pdf
    • http://firesafetyservices.biz/images/free-robux-no-human-verification-generator_GM431946152.pdf
    • http://firesafetyservices.biz/images/claim-roblox_GM431946152.pdf
    • http://firesafetyservices.biz/images/free-robux-generator-2021-no-survey_GM431946152.pdf
    • http://firesafetyservices.biz/images/free-robux-codes-no-verification_GM431946152.pdf
    • http://firesafetyservices.biz/images/get-free-coins-for-coin-master_GM406889139.pdf
    • http://firesafetyservices.biz/images/how-to-win-robux_GM431946152.pdf
    • http://firesafetyservices.biz/images/free-roblox-money_GM431946152.pdf
    • http://firesafetyservices.biz/images/rbx-free-robux_GM431946152.pdf
    • http://firesafetyservices.biz/images/moon-static-coin-master-generator-hacks-free_GM406889139.pdf
    • http://firesafetyservices.biz/images/ways-to-get-free-robux_GM431946152.pdf
    • http://firesafetyservices.biz/images/minecraft-nintendo-switch-digital-code-free_GM479516143.pdf
    • http://firesafetyservices.biz/images/how-to-get-free-robux-on-pc_GM431946152.pdf
    • http://firesafetyservices.biz/images/how-to-get-free-robux-2021-no-human-verification_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004933.bin
0faf8bd05ce784724815beeab0588eed494068b712a011e336fcb7471d2f5f9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4933 25104 bytes
font_01_sfnt_off0000836c.bin
1fd200dee0908774cd7421e0a60456d96d7b5616485fa29449c155c3981f88c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x836C 18120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.