Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4fcb1394aa533f2…

MALICIOUS

PDF

34.1 KB Created: 2021-06-30 06:54:50 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 73786d19bffd3da2ef3b94a5572217be SHA-1: 06d6d8b512a5d6d9870357886171a1e13dc4286f SHA-256: e4fcb1394aa533f2986ece8dcb58107b0d6bf125a9e0b7503d272364dd6c6ff0
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains multiple links and a prominent call-to-action related to game hacks and free in-game currency, specifically for Roblox. The primary link, http://netcdn.co/app/431946152/roblox-hack-download-lumber-tycoon-2-game-hack, is flagged as a lure for a game hack. While no scripts were extracted, the document's structure and content strongly suggest it is designed to trick users into downloading potentially malicious files or visiting scam websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-hack-download-lumber-tycoon-2-game-hack PDF link annotation
    • https://www.labdagatismk1pundong.com/repository/how-to-generate-free-coin-master-spin_GM406889139.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/how-to-setup-a-minecraft-server-for-free_GM479516143.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/roblox-support-hacked_GM431946152.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/free-robux-no-verification-2021_GM431946152.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/roblox-catalog-everything-for-free_GM431946152.pdfIn PDF document text
    • https://labdagatismk1pundong.com/repository/free-robux-without-human-verification-2021_GM431946152.pdfIn PDF document text
    • https://labdagatismk1pundong.com/repository/free-robux-no-verification-required_GM431946152.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/free-robux-for-free_GM431946152.pdfIn PDF document text
    • https://labdagatismk1pundong.com/repository/earn-robux-com_GM431946152.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/how-to-hack-out-of-bank-roblox_GM431946152.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/minecraft-tower-defense-hacked_GM479516143.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/roblox-how-to-get-to-be-free-storytellers-ballad_GM431946152.pdfIn PDF document text
    • https://labdagatismk1pundong.com/repository/microsoft-rewards-roblox_GM431946152.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/the-northern-frontier-script-roblox-hack_GM431946152.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/free-robux-2021_GM431946152.pdfIn PDF document text
    • https://labdagatismk1pundong.com/repository/how-to-get-25-robux-for-free-2021_GM431946152.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/como-ser-hacker-en-roblox-sencillamente_GM431946152.pdfIn PDF document text
    • https://www.labdagatismk1pundong.com/repository/free-penguin-suit-roblox_GM431946152.pdfIn PDF document text
    • https://labdagatismk1pundong.com/repository/how-to-download-minecraft-for-free-on-iphone_GM479516143.pdfIn PDF document text
    • https://labdagatismk1pundong.com/repository/coin-master-spin-and-coins-free_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e59.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E59 21536 bytes
SHA-256: 38fe94d42250a85728ae1b28d50530cfd48fc7a0625322af2b74e86c19d17aef
font_01_sfnt_off00005da1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5DA1 19864 bytes
SHA-256: 86151a105756505c772fba8e9172400c84a863d5d1c2cc60b09dd21a6216967b

Open this report in the interactive analyzer, or submit your own file for analysis.