PDF malware analysis — malicious · f91d66fdc8b9183c

MALICIOUS

PDF

45.3 KB Created: 2021-06-04 00:12:55 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-13

MD5: 19dce86bf2d4f8710d050a1087c6a8f6 SHA-1: 09c421bb6f453b77a4dd78c877895f26f9f4ba5d SHA-256: f91d66fdc8b9183ccfd59a15ba069011a7440c89e890d7e749ec24cedb6519ed

220 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document employs a lure for free Robux and game hacks, impersonating brands like Walmart to trick users into clicking malicious links. The embedded links redirect to known malicious infrastructure, indicating a phishing or scam attempt. While no scripts were directly extracted, the PDF structure and embedded URLs strongly suggest an attempt to lead the user to a compromised site for credential harvesting or malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.9864

Heuristics 6

PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE

PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH

Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.online/app/431946152/free-robux-just-enter-username-game-hack.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://netcdn.online/app/431946152/free-robux-just-enter-username-game-hack In PDF document text
- http://pustaka1.unindra.id/repository/free-coin-master-gift-link_GM406889139.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/free-robux-no-verification_GM431946152.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/how-to-get-free-food-for-foxy-in-coin-master_GM406889139.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/minecraft-reach-hack_GM479516143.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/cool-free-roblox-outfits_GM431946152.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/minecraft-java-code-free_GM479516143.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/coin-master-apk-hacked-3526_GM406889139.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/free-minecraft-codes_GM479516143.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/how-to-hack-any-roblox-account_GM431946152.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/free-robux-on-iphone_GM431946152.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/coin-master-free-coins-and-spins-daily-summary_GM406889139.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/free-robux-generator-2021_GM431946152.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/coin-master-free-cards-and-spin-link_GM406889139.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/official-coin-master-free-spins_GM406889139.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/free-coin-master-game_GM406889139.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/minecraft-hacks-pc_GM479516143.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/free-coin-master-spins-link_GM406889139.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/how-to-hack-roblox-accounts-on-phone_GM431946152.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/free-limiteds-roblox_GM431946152.pdfIn PDF document text
- http://pustaka1.unindra.id/repository/coin-master-hack-mod-apk-free-download_GM406889139.pdfIn PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off00005143.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x5143	25656 bytes
SHA-256: `6cf2b537ec93da179b3850630b0ca39714cb5b29d40c92c06a0a0223d1489bd8`
`font_01_sfnt_off00008ca2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8CA2	18960 bytes
SHA-256: `ad194f5984d8cbd7c817d1b512f86f024f40bf30beebdf7d12c6ff62fc849400`

Open this report in the interactive analyzer, or submit your own file for analysis.