Malicious PDF — malware analysis report

Static analysis result for SHA-256 00d52b0d93e37b36…

MALICIOUS

PDF

35.9 KB Created: 2021-06-22 05:32:35 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: c18f9f761fb79d9d53518a58266e1fd3 SHA-1: fd2be90acd77d71b9fa9318ad86b3a40c244214b SHA-256: 00d52b0d93e37b36380135c950ee1a83d5ea11a1109d844c4d654e070c62f5de
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The document contains multiple embedded URLs and a call-to-action phrase, strongly suggesting a phishing or scam attempt. The ML classifier also flagged this PDF as malicious with high confidence. The primary lure appears to be offering hacks or generators for popular games, aiming to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-hack-2021-robux-generator-game-hack PDF link annotation
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/robux-generator-com_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/hacka-for-mobile-roblox_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/how-to-hack-roblox-accounts-on-phone_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/free-spin-link-coin-master_GM406889139.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/easy-robux-generator_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/coin-master-hack-unlimited-spins-apk-download_GM406889139.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/get-minecraft-windows-10-free_GM479516143.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/www-free-robux_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/how-to-get-free-robux-hack_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/free-google-play-promo-codes-coin-master_GM406889139.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/free-promo-codes-for-robux_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/coin-master-levels_GM406889139.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/free-coin-master-account_GM406889139.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/how-to-hack-roblox-accounts-2021_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/free-minecraft-resource-packs_GM479516143.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/coin-master-daily-spin-free_GM406889139.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/how-to-hack-bedwars-2-on-roblox_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/synlapse-roblox-free-download_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/how-to-get-80-robux-free_GM431946152.pdfIn PDF document text
    • http://www.lorengntb.com/new/public/ckfinder/userfiles/files/coin-master-game_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000034af.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34AF 22364 bytes
SHA-256: cdca8870e5c391983ab9f6b1c8a05f746f925368108263f18007b2e17d4cf698
font_01_sfnt_off0000668f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x668F 19300 bytes
SHA-256: b102dbcf8c0f7094141d3ece86ffa02dc7e79776ed322efa0adc532f42c9fe88

Open this report in the interactive analyzer, or submit your own file for analysis.