Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0fe8b17185e3d27…

MALICIOUS

PDF

36.2 KB Created: 2021-05-21 15:31:14 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 3283286797639160a5ad544f44759b20 SHA-1: 5d74894b290eaa11d2c85be8c3c674b70d6c7408 SHA-256: a0fe8b17185e3d274f722b8ea49f9a3714e434dbdb404d02f3bd0845f07876a7
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document displays a fake CAPTCHA and a download button lure, impersonating LinkedIn to trick users into clicking a link for 'free Robux'. The embedded URLs, such as https://netcdn.xyz/app/431946152/free-robux-pin-codes-game-hack, are associated with credential phishing and malware distribution. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9492

Heuristics 5

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.xyz/app/431946152/free-robux-pin-codes-game-hack.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-pin-codes-game-hack PDF link annotation
    • http://foo.com.tw/files/free-robux-codes_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/tiktok-free-to-watch-online_GM835599320.pdfIn PDF document text
    • http://foo.com.tw/files/can-you-get-robux-for-free_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/free-coin-master-coins-and-spins_GM406889139.pdfIn PDF document text
    • http://foo.com.tw/files/free-robux-images_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000031e5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31E5 24952 bytes
SHA-256: 4e48043fd16eaa530ad3606850fb9a6aefb6d4cfda830b72a7076b669dccdb14
font_01_sfnt_off00006b82.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6B82 18464 bytes
SHA-256: 23872266a6577b01853888d52c04c526ac323517b7f86f8cb64f3b9e81653507

Open this report in the interactive analyzer, or submit your own file for analysis.