Malicious PDF — malware analysis report

Static analysis result for SHA-256 b82d3f897587df9c…

MALICIOUS

PDF

39.9 KB Created: 2021-04-30 13:51:01 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: d8e8b4a253b8b32f52d5788fc54e1ec8 SHA-1: 52f252cc86425565125cdd7a1f90ddbe6b7a6868 SHA-256: b82d3f897587df9c581dba1627372d85c95451cfea9d5229260ff7692a961f93
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple invisible links and a visible call-to-action, directing users to websites that promise free Robux generators. This is a common lure for phishing or distributing malware. Although no scripts were explicitly extracted, the PDF structure and embedded URLs strongly suggest a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 3

  • Invisible PDF links to CAPTCHA-themed web lure high PDF_CAPTCHA_LINK_LURE
    PDF contains invisible clickable link annotations that point to a CAPTCHA/capcha-themed web path. This is a common phishing and ClickFix-style routing pattern: the PDF itself is inert, while the linked page performs the credential prompt or fake verification.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-generator-no-survey-or-captcha-game-hack In PDF document text
    • https://lib-stie.yai.ac.id/repository/free-gift-cards-cods-for-roblox.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/cheat-roblox-windows-10.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/roblox-super-power-training-simulator-hack-2021.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/hack-de-roblox-robux-gratis.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/roblox-military-simulator-how-to-use-hacking-device.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/roblox-hack-client-2021.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/gratis-hack-royale-hihg-roblox.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/free-robux-today-ad.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/robux-hack-2021.pdfIn PDF document text
    • https://lib-stie.yai.ac.id/repository/city-free-roblox.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00003e3b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E3B 25600 bytes
SHA-256: 9cdd561ada23706c570fd8e28f7ac2b80ea70d33bfbd8f1de0255efa9467d8ff
font_01_sfnt_off0000780d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x780D 18980 bytes
SHA-256: ccfb705a538a2109eeef02598912e6f89bbeaed7226b22f7bb726715582fe091

Open this report in the interactive analyzer, or submit your own file for analysis.