Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfd1d38104ba32da…

MALICIOUS

PDF

54.1 KB Created: 2021-05-20 21:38:09 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-08-25
MD5: 4b7542fb078e7195323e67307af3d312 SHA-1: 0b7d60731f13ef292f674ca89f3567426415e85c SHA-256: bfd1d38104ba32dab08db1751d0a3bc1f69e7f7a11d9e05522ea153c2879edc6
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains links designed to lure users into downloading free game currency generators, which is a common social engineering tactic. The primary link redirects to malicious infrastructure, indicating an attempt to deliver a payload or phish for credentials. No scripts were extracted, but the embedded URLs and heuristic firings strongly suggest a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5022

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-get-robux-for-free-2021-game-hack In PDF document text
    • http://algierimasonry.com/images/free-robux-no-offers_GM431946152.pdfIn PDF document text
    • http://algierimasonry.com/images/free-robux-without-doing-anything_GM431946152.pdfIn PDF document text
    • http://algierimasonry.com/images/try-minecraft-free_GM479516143.pdfIn PDF document text
    • http://algierimasonry.com/images/free-minecraft-windows-10-with-java_GM479516143.pdfIn PDF document text
    • http://algierimasonry.com/images/free-account-roblox-with-robux_GM431946152.pdfIn PDF document text
    • http://192.168.0.99/%20%3Cp%3E%3Cp%3EXonnek%20On%20Twitter%20Roblox%20Como%20Utilizar%20Hacks%20En%20Los.%20Como%20Descargar%20Un%20Hack%20Para%20Roblox%20Gratis%20Sin%20Virus.%20Roblox%20Hacks%20Download%20No%20Survey%20Tumblr.%20Robux%20Generator%20Roblox%20Hack%20Inicio%20Facebook.%20Hack%20Roblox%20Tener%20Robux%20Gratis%202018%20Diciembre%20Youtube.%3Cp%3E%3Cp%3EHow%20To%20Hack%20Robux%20Using%20Javascript.%20Malicious%20Chrome%20Extensions%20Stealing%20Roblox%20In%20Game%20Currency.%20Free%20Robux%20Easy%20Way.%20Roblox%20is%20one%20of%20the%20best%20online%20platforms%20worldwide%20for%20playing%20games%20socially%20commenced%20by%20roblox%20corporation.%3Cp%3E%3Cp%3E...hack%202019,%20How%20to%20hack%20roblox%202017,%20How%20to%20hack%20on%20roblox%202019,%20,%20free,%20Hack,%20Exploit,%20Panders,%20Viper%20Venom,%20Roblox,%20roblox%20jailbreak%20bones,%20gui,%20hack%20april%20second,%20piggy%20hack,%20how%20to%20hack%20roblox%20,%20beehack,%20hit%20box,%20roblox%20admin%20hack,%20roblox%20admin%20script%20hack,%20roblox%20admin%20commands...%3Cp%3E%3Cp%3EStep#%205:%20After%20gathering%20up%20to%201,000%20points,%20visit%20the%20Robux%20Claim%20section%20to%20redeem%20your%20points.%204.%20Robux%20Online%20Generator.%20Are%20you%20looking%20to%20obtain%20unlimited%20free%20Robux?%20Try%20the%20Robux%20Online%20Generator%20tool%20designed%20to%20help%20Roblox%20lovers%20obtain%20free%20Robux%20in%20a%20few%20short%20minutes.%20This%20online%20platform%20only%20requires%20your%20username%20and%20a%20few%20more%20...%3Cp%3E%3Cp%3ERabu,%2008%20Januari%202020.%20Brown%20Hair%20Roblox%20Boy%20Hair%20Codes.%2016.26.%20Roblox%20Hair%20Codes%20Youtube%20Roblox%20Hat%20Id%20Codes%20Free%20Robux%20Today%20Generator%20Brown%20Hair%20Codes%20For%20Roblox%20High%20School%20Th%20Clip.%3Cp%3E%3Cp%3Ext%20!*%20free%20robux%20generator%20no%20human%20verification%20-%20free%20robux%20quiz%20website%20Updated:%20April%2029,2021%20%7Bcurrent%20users:%2027044%7D4seconds%20ago%20These%20are%20some%20handy%20methods%20you%20can%20use%20In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00007a79.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7A79 25384 bytes
SHA-256: 63ffe3590e9362a7a3428741e45f95bea03f898773fbece637f6dfe9e12a891e
font_01_sfnt_off0000b27b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB27B 18684 bytes
SHA-256: 65f445f0396e54760dd2a1edc1744209422bc48f29c35ea74a9bcb72e79f8b06