Malicious PDF — malware analysis report

Static analysis result for SHA-256 7bf7bac54670203f…

MALICIOUS

PDF

92.5 KB Created: 2021-05-21 00:31:20 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2026-06-04
MD5: f688fd8905d9a3c00f55d225a9e493ec SHA-1: 5928c779326b46b9330d0b8a255be3a06e988a6d SHA-256: 7bf7bac54670203f537303821e4b5572696df1ead7c92016c2a7d834658b6055
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple links to redirector infrastructure, specifically targeting users with lures related to free game generators and hacks. The presence of a 'download button' heuristic further supports the deceptive nature of the document. While no scripts were explicitly extracted, the PDF structure and embedded URLs strongly indicate a phishing or redirection attempt, likely to deliver a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9803

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-games-with-free-radio-game-hack In PDF document text
    • http://sv-nahetal.de/images/minecraft-redeem-code-free-2021_GM479516143.pdfIn PDF document text
    • http://sv-nahetal.de/images/google-how-do-you-get-robux_GM431946152.pdfIn PDF document text
    • http://sv-nahetal.de/images/websites-that-give-you-free-robux_GM431946152.pdfIn PDF document text
    • http://sv-nahetal.de/images/free-robux-no-human-verification-or-survey-2021_GM431946152.pdfIn PDF document text
    • http://sv-nahetal.de/images/minecraft-anarchy-server-no-hacks_GM479516143.pdfIn PDF document text
    • http://192.168.0.99/%20%3Cp%3E%3Cp%3EWith%20no%20end%20in%20sight%20for%20this%20free-to-play%20game%20creating%20platform,%20now%20is%20an%20excellent%20time%20to%20sample%20some%20of%20the%20best%20user-created%20games%20Roblox%20has%20to%20offer.%20Watch%20on%20YouTube%3Cp%3E%3Cp%3EHacked%2057%20minutes%20ago.%20Knicolasih.%20Followers:%2011.%20Hacked%202%20hours%20ago.%20Jesika9002.%20Followers:%202.%3Cp%3E%3Cp%3EEarn%20ROBUX%20with%20us%20today%20and%20purchase%20yourself%20a%20new%20outfit,%20gamepass,%20or%20whatever%20you%20want%20in%20ROBLOX!%20OGRobux%20is%20one%20of%20the%20best%20free%20robux%20site%20to%20make%20easy%20robux%20for%20doing%20simple%20tasks%20and%20inviting%20friends.%20Anyone%20from%20anywhere%20can%20use%20OGRobux.%3Cp%3E%3Cp%3Eaudio%20visualizer%20roblox%20upload%20how%20to%20get%20free%20robux%202019%20ios%20music%20xbox%20console%20audio%20sound%20listening%20to%20you.%20image%20titled%20roblox%20colouring%20pages%20printable%20cd4%20png.%20Tiered%20Audio%20Upload%20Prices%20With%20!%20Longer%20Max%20Length%20Sizes%20how%20to%20get%20robux%20on%20roblox%20without%20buying%20it!%3Cp%3E%3Cp%3EROBUX%20GENERATOR%20-%20FREE%20ROBUX%20%E2%80%A2They%20are%20compatible%20with%20both%20Android%20and%20iOS%20devices.%20They%20should%20have%20a%20team%20in%20place%20to%20check%20the%20compatibility%20of%20their%20product%20to%20ensure%20they%20are%20not%20selective.%20%E2%80%A2Easy%20to%20use:%20The%20primary%20focus%20of%20all%20generator%20providers%20should%20be%20to%20make%20the%20life%20of%3Cp%3E%3Cp%3EHome%20/%20Executor%20/%20KRNL%20/%20Roblox%20/%20KRNL%20-%20Free%20Executor.%20KRNL%20-%20Free%20Executor%20by.%20Mikael%20Publisher%20on.%20January%2002,%202021%20in%20Executor,%20KRNL,%20Roblox.%20Last%20Updated:%20December%2012,%202020%20Download%20KRNL%20Download%20Click%20here%20Info%20*%20DLL%20exploits%20require%20a%20dll%20injector%20*%20Disable%20your%20anti...%20Last%20Updated:%20December%2012,%202020%3Cp%3E%3Cp%3EWelcome%20to%20free%20robux%20code%20generator.%20free%20robux%20code%2In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00011399.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11399 24104 bytes
SHA-256: ec1f9c3d17c98e4b6937fa14204bb86636381b93590be593b9c17a3a3cc84946
font_01_sfnt_off000149b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x149B7 19200 bytes
SHA-256: 1d90b013fd0ba072e710b1a1c7967957ed75a631fea3266b3a2ef171103bab79