Malicious PDF — malware analysis report

Static analysis result for SHA-256 91a3a11cf5aa34f3…

MALICIOUS

PDF

37.2 KB Created: 2021-05-24 03:42:42 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: d8687cc34a16dc09a9fac5d9c699047f SHA-1: 7a9da6e1de087f8510f7f76a393a0080377a473f SHA-256: 91a3a11cf5aa34f3d6bc6573091b62cbe8580ccce7dbae408b5bae4047758e65
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains embedded links and a call-to-action button, impersonating PayPal to lure users with 'Roblox Promo Codes'. The primary malicious URL, https://netcdn.xyz/app/431946152/roblox-promo-codes-free-robux-game-hack, is hosted on a domain unrelated to the impersonated brand, indicating a phishing or malware distribution attempt. The ML classifier also flagged this PDF with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.xyz/app/431946152/roblox-promo-codes-free-robux-game-hack.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-promo-codes-free-robux-game-hack PDF link annotation
    • http://echosvoix.ch/images/coin-master-homepage_GM406889139.pdfIn PDF document text
    • http://echosvoix.ch/images/classic-minecraft-net-hacks_GM479516143.pdfIn PDF document text
    • http://echosvoix.ch/images/free-coin-master-cards_GM406889139.pdfIn PDF document text
    • http://echosvoix.ch/images/2021-roblox_GM431946152.pdfIn PDF document text
    • http://echosvoix.ch/images/how-to-get-free-robux-on-phone_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000031e5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31E5 26908 bytes
SHA-256: 9411769da472bef4838d4f88c83a640e4cd3799b4bebf8660125a807f4985219
font_01_sfnt_off00006f51.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6F51 18676 bytes
SHA-256: 3ed324e585500d41944ebd93500991c566830021fec9c5a8323b790459c3443f