Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6b7c9261816e307…

MALICIOUS

PDF

38.7 KB Created: 2021-04-22 22:44:55 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-14
MD5: e4c83fabfeb673c481a681ed5aa17870 SHA-1: 6fd01ef7f81752866da29ccf812e9bbbb21b1e76 SHA-256: b6b7c9261816e307520dc7bb123973db28e6e20ee8222c7baa8d798f4e91f10d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple links and text fragments related to "hacking" and "free generators" for the game Roblox. The primary URL, https://netsecure.pro/app/431946152/how-to-hack-any-roblox-account-mobile-game-hack, is flagged as a lure for game hacks. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest a social engineering tactic to redirect users to potentially malicious or scam websites, aligning with spearphishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netsecure.pro/app/431946152/how-to-hack-any-roblox-account-mobile-game-hack PDF link annotation
    • http://galletta.com/images/free-robux-every-ten-seconds.pdfIn PDF document text
    • http://galletta.com/images/robux-generator-hack-2021-no-survey-november.pdfIn PDF document text
    • http://galletta.com/images/bloxburg-roblox-cheats.pdfIn PDF document text
    • http://galletta.com/images/free-skin-roblox-2021.pdfIn PDF document text
    • http://galletta.com/images/get-free-robux-right-now.pdfIn PDF document text
    • http://galletta.com/images/can-you-get-roblox-studio-free.pdfIn PDF document text
    • http://galletta.com/images/free-robux-no-information-needed.pdfIn PDF document text
    • http://galletta.com/images/roblox-scr-hack.pdfIn PDF document text
    • http://galletta.com/images/arsenal-roblox-cheats.pdfIn PDF document text
    • http://galletta.com/images/free-clothes-roblox-pastebin.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00003e8d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E8D 24480 bytes
SHA-256: 30f4d94504a7a80331df6e48238bb3ec8dd2ff378f9dc9e255db7e21b1e7be95
font_01_sfnt_off00007685.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7685 19088 bytes
SHA-256: 990eee7815637446a35751d5ca26c43c7f96f674e2fb7f6db0f3ac57cd570a34