Malicious PDF — malware analysis report

Static analysis result for SHA-256 d56bc121f1e1d245…

MALICIOUS

PDF

35.6 KB Created: 2021-06-30 08:30:09 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-11-23
MD5: c0ac5ed1c69aca8cec80498f7cac8cf9 SHA-1: 3fe19d523196ae77532c209d9dedfa057331a912 SHA-256: d56bc121f1e1d245cecaff6604873c4f59c302e8eb24eec364bfa06453a48ce1
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document contains numerous links to external resources, many of which point to IP addresses and are associated with malicious redirector infrastructure. The document body and extracted URLs suggest a lure for obtaining 'free Robux' or game hacks, likely leading to malware downloads or phishing. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it is designed to exploit user interest in game cheats.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/hack-robux-cheat-engine-6.4-game-hack In PDF document text
    • http://202.56.165.220/digilab/repository/free-robux-sin-vertificacion_GM431946152.pdfPDF link annotation
    • http://202.56.165.220/digilab/repository/how-to-get-free-robux-on-phone-2021_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/free-stuff-on-roblox_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/synapse-hack-roblox_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/roblox-games-free_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/how-to-get-robux-easy_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/free-robux-without-having-to-download-anything_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/how-to-hack-on-roblox-rap-battles-2021_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/how-do-u-hack-a-roblox-account_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/free-coin-master-gifts_GM406889139.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/free-robux-no-human-verification-or-survey-or-download-2021_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/nightmare-freddy-hack-in-roblox_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/how-to-hack-in-roblox-ninja-legends_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/roblox-game-card-generator-download-free_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/robux-hack-tool-2021_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/prisonbreaker-hack-script-roblox-pastebin_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/minecraft-bedrock-server-hosting-free_GM479516143.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/roblox-hacked-cliient_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/roblox-mm2-coin-hack-2021_GM431946152.pdfIn PDF document text
    • http://202.56.165.220/digilab/repository/free-roblox-bundles_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000032fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32FB 22440 bytes
SHA-256: 895378338bc33d58b1694be5230d7efa0ecab058a7555cf0a68843b18b79da0f
font_01_sfnt_off000064dc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x64DC 19408 bytes
SHA-256: 92d93ddf67275460aef8ad1d4d0858c62941e44b2bd2838347a787326c09f0a1

Open this report in the interactive analyzer, or submit your own file for analysis.