Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cfb01ec6f9f82f3…

MALICIOUS

PDF

36.0 KB Created: 2021-05-30 03:33:21 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 4b770f8b56d1262799661fa1ae2984aa SHA-1: 77391fc11cd64d6565f1ded79b28efb69820a07e SHA-256: 9cfb01ec6f9f82f324294a9da62c64ba36d6ad5e2b9cc200e7b7a5937e874afc
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains lures related to "How To Hack Robux" and "CLICK HERE TO ACCESS ROBLOX GENERATOR", directing users to external URLs. The presence of embedded URLs and the ML classifier flagging the PDF as malicious strongly suggest a phishing or malware distribution attempt. The document body text and heuristics indicate a lure to download a payload, likely related to game exploits or scams.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8925

Heuristics 4

  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-hack-robux-game-hack
    • https://bulbenko.co.uk/wp-content/uploads/fsqm-files/minecraft-windows-10-free_GM479516143.pdf
    • https://bulbenko.co.uk/wp-content/uploads/fsqm-files/bloxpink-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002f3f.bin
9e9756eee10ed18f7b52309c3ccbe6024af7c560125299b8957f96a4a496428f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F3F 26800 bytes
font_01_sfnt_off00006aff.bin
799ae8847f356c5b4d712fc876b96dd84d848442331064266ecb6e470ae97e62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AFF 18412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.