Malicious PDF — malware analysis report

Static analysis result for SHA-256 edf35b46a6c62958…

MALICIOUS

PDF

37.0 KB Created: 2021-05-22 11:42:48 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 2ea8095a49277f7fa9464dd90f019e6a SHA-1: 50374cd5c2272e4b7697b1d9f16ae066b183ad3d SHA-256: edf35b46a6c6295855610fe8e5cf76736def6ecaa8a53e01701c8e99766f67e5
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a fake CAPTCHA lure, designed to trick users into clicking embedded links. The primary external URI points to a URL associated with free Robux offers, a common lure for gaming-related malware. Several other URLs hosted on a similar domain also point to files related to game hacks and injectors, further supporting the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-offers-game-hack
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/free-roblox-injector_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/www-roblox-com-robux-free_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/roblox-hack-2021_GM431946152.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/the-coin-master-hack_GM406889139.pdf
    • http://cpsad.adturekorea.co.kr/newboard/_upload/userfiles/files/minecraft-hacks-pc_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003655.bin
972c9206b7cb62f4d611ce41d8ebd22cb79e97217a5ecb7ee864d9b6846e7dd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3655 25020 bytes
font_01_sfnt_off0000703e.bin
2fb616bca13af88ff89276a9b2d2fcc075dc4ebb9507e4cf45ab0719cef726f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x703E 18012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.