Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3a69e34aeeacbfe…

MALICIOUS

PDF

38.4 KB Created: 2021-05-21 23:50:32 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: cb69036349c8d157a0e205a3da108aa3 SHA-1: d4ec84c30d4897511330679befcc4cc1b5fccfc8 SHA-256: f3a69e34aeeacbfe8531caff60367179f19e21ea3c8884f7f549d7f3631f4075
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains lures for 'Free Robux' and a 'Roblox Generator', directing users to external URLs. The presence of MFA lure heuristics suggests an attempt to harvest credentials or session tokens. While no scripts were directly extracted, the embedded URLs and document content indicate a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9407

Heuristics 4

  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-no-scam-game-hack
    • http://baroque1990.com/images/robux-com-free-robux_GM431946152.pdf
    • http://baroque1990.com/images/cheats-coin-master-free_GM406889139.pdf
    • http://baroque1990.com/images/roblox-catalog-free_GM431946152.pdf
    • http://baroque1990.com/images/how-to-buy-robux-for-free_GM431946152.pdf
    • http://baroque1990.com/images/best-free-roblox-outfits_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003402.bin
d8c614c792d1ce35c0913ad0340e67a9f95a83e7db36b336270a281c8e3eab21		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3402 28076 bytes
font_01_sfnt_off0000742a.bin
b3a5a2e86a30a2234a3ee6d3c2f7de48a52411aef28342c5883490dd6d64f819		 pdf-font-stream PDF embedded font (sfnt) at offset 0x742A 18500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.