Malicious PDF — malware analysis report

Static analysis result for SHA-256 007ad6adae982a34…

MALICIOUS

PDF

47.1 KB Created: 2021-05-11 19:54:06 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 24d59ba2a36eaa5832904792c8a1b3a4 SHA-1: f71a6b2454969a6e86750ca3ad8e6b1057642bb5 SHA-256: 007ad6adae982a34791ff49d3a86d6ba3694c6276835826a30fd9d685e9f7f91
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs and text lures related to "Robux" and "Coin Master" hacks, indicating a phishing or scam attempt. The presence of external URIs and the ML classifier's high confidence score suggest malicious intent, likely to redirect users to sites hosting malware or further phishing content. No scripts were extracted, but the document structure and embedded URLs point towards a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8619

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/a-lot-of-robux-game-hack
    • http://ohsawamacrobiotics.com/images/coin-master-hack-ios-2021_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/how-to-get-more-robux-for-free_GM431946152.pdf
    • http://ohsawamacrobiotics.com/images/daily-free-coin-and-spin-link-for-coin-master_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/free-spins-coin-master-hack-2021_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/free-robux-instantly_GM431946152.pdf
    • http://ohsawamacrobiotics.com/images/coin-master-hack-club_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/roblox-free-roblox_GM431946152.pdf
    • http://ohsawamacrobiotics.com/images/free-coin-master-glitches_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/moon-static-coin-master-generator-hacks-free_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/how-to-hack-roblox-accounts-on-phone-2021_GM431946152.pdf
    • http://ohsawamacrobiotics.com/images/how-to-hack-someones-minecraft-account_GM479516143.pdf
    • http://ohsawamacrobiotics.com/images/coin-master-hack-root_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/free-robux-without-verification-2021_GM431946152.pdf
    • http://ohsawamacrobiotics.com/images/how-to-get-free-robux-on-android_GM431946152.pdf
    • http://ohsawamacrobiotics.com/images/coin-master-free-spins-blogspot_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/get-robux-com_GM431946152.pdf
    • http://ohsawamacrobiotics.com/images/100-free-spins-for-coin-master-2021_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/free-spins-coin-master-2021-today_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/coin-master-free-link-2021_GM406889139.pdf
    • http://ohsawamacrobiotics.com/images/free-robux-codes-no-human-verification_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004713.bin
9238a3c9bd98dc97efa6722e176007702d9096b339e08f15a5f29dcfd9217dd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4713 24952 bytes
font_01_sfnt_off00007f53.bin
3fb127b764b9d10f5525bc4de5ec8316de704409ccb0cf21cff3ad8a30d11676		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F53 2840 bytes
font_02_sfnt_off00008900.bin
450e3ee45915afe13702bf1d587eb8b9ad88a8d2113419ac9f2fd116a828e139		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8900 5696 bytes
font_03_sfnt_off00009611.bin
59ace597cf85b15723adf2883f87d3990bd92e723e57ffb30000155e26dd48af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9611 17952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.