Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6f8a868abe8cb5a…

MALICIOUS

PDF

38.3 KB Created: 2021-05-22 23:09:39 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 5fb529a51d38518d42b846d4b9ca9b2a SHA-1: 6a26561dd84f1446556903a8127d8c4955d6e383 SHA-256: b6f8a868abe8cb5a27bc7f64d715c1db6fec4d4b1f333832107418cb76fa1914
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF document exhibits characteristics of an advance-fee scam, specifically a lottery or prize lure combined with parcel delivery requirements. The document body and extracted URLs promote a fake generator for in-game currency, such as "Robux", and contain phrases like "CLICK HERE TO ACCESS ROBLOX GENERATOR". This indicates an attempt to trick users into visiting malicious links, likely to download further malware or engage in fraudulent activities.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7010

Heuristics 4

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/bux-life-free-robux-game-hack
    • https://sitam.co.in/images/free-coin-master-gold-cards_GM406889139.pdf
    • https://sitam.co.in/images/minecraft-ore-finder-mod_GM479516143.pdf
    • https://sitam.co.in/images/minecraft-pe-server-hosting-free_GM479516143.pdf
    • https://sitam.co.in/images/coin-master-free-spins-blogspot_GM406889139.pdf
    • https://sitam.co.in/images/robux-free-2021_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003197.bin
e2dcc9ab3c5d943c5d4c043b24e6a9d9b66549c9f39f2775ab392407de9c43cc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3197 24680 bytes
font_01_sfnt_off00006a95.bin
10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A95 2880 bytes
font_02_sfnt_off00007480.bin
29dc967668ee0d992c179c4e94ca6f9cb219d50b5ccf800f63d20fdab69e699e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7480 18136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.