Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b5bfc03e2e8d3f1…

MALICIOUS

PDF

43.1 KB Created: 2021-05-17 15:15:29 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 3e8442aaded3759fa4866db969d8a670 SHA-1: 6b171b8a0e34868487ad130e5932862cb8aedaa6 SHA-256: 7b5bfc03e2e8d3f11a3133ad44ce830fbcf45b2b88f7bfe54e2fa22c163d8f9b
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document presents a fake CAPTCHA or human verification prompt to trick users into clicking a link, likely for a scam or to download further malware. The embedded URL and numerous other related URLs point to sites offering 'free Robux' or game hacks, reinforcing the lure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-app-real-game-hack
    • http://ratchadatitan.com/UserFiles/File/give-free-robux_GM431946152.pdf
    • http://ratchadatitan.com/UserFiles/File/coin-master-fan-club_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/roblox-hack-site_GM431946152.pdf
    • http://ratchadatitan.com/UserFiles/File/free-robux-no-password_GM431946152.pdf
    • http://ratchadatitan.com/UserFiles/File/freespinandcoin-blogspot-com_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/roblox-help-free-robux_GM431946152.pdf
    • http://ratchadatitan.com/UserFiles/File/roblox-builders-club-free_GM431946152.pdf
    • http://ratchadatitan.com/UserFiles/File/coin-master-hack-without-human-verification-2021_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/master-coin-master-free-spin_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/minecraft-free-download-2021_GM479516143.pdf
    • http://ratchadatitan.com/UserFiles/File/how-to-get-a-refund-on-roblox-2021_GM431946152.pdf
    • http://ratchadatitan.com/UserFiles/File/free-spin-coin-master-app-download_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/coin-master-free-spin-whatsapp-group-link_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/how-to-get-robux-for-free-2021_GM431946152.pdf
    • http://ratchadatitan.com/UserFiles/File/coin-master-hacks-xyz_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/how-to-get-minecraft-windows-10-for-free-2021_GM479516143.pdf
    • http://ratchadatitan.com/UserFiles/File/how-to-get-free-chest-in-coin-master_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/master-coin-hack-apk_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/free-game-packs-for-coin-master_GM406889139.pdf
    • http://ratchadatitan.com/UserFiles/File/minecraft-education-edition-free-download_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000047b7.bin
c90b6a8d4e7f04441f1ef1c9653cc02d6ca7bf97f76079039ced73c1bad82e1a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47B7 26612 bytes
font_01_sfnt_off00008576.bin
9e447b6d8b47d61e54db9515b6598511f2c2f765926adb3e35dae1cd8ee44e1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8576 18492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.