Malicious PDF — malware analysis report

Static analysis result for SHA-256 386b04dce5c42a35…

MALICIOUS

PDF

37.5 KB Created: 2021-05-21 23:05:30 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: e21cb9dee144d2b0893dfeb0b6ae4d1d SHA-1: 0fed0aa8d439c405e0460c8ffb93bc6646971b20 SHA-256: 386b04dce5c42a35859e683313c358b720be28c0c9225a7237d9473c6f533a0f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a call-to-action phrase, suggesting a phishing or social engineering attempt. The document body explicitly mentions "How To Hack A Roblox Account 2021" and "CLICK HERE TO ACCESS ROBLOX GENERATOR", indicating a lure to download potentially malicious content. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-hack-a-roblox-account-2021-game-hack
    • http://45.115.65.99/__statics/gudangsoal/files/minecraft-jar-free_GM479516143.pdf
    • http://45.115.65.99/__statics/gudangsoal/files/free-coins-coin-master-link_GM406889139.pdf
    • http://45.115.65.99/__statics/gudangsoal/files/hack-to-send-gold-cards-on-coin-master_GM406889139.pdf
    • http://45.115.65.99/__statics/gudangsoal/files/free-spins-coinmaster_GM406889139.pdf
    • http://45.115.65.99/__statics/gudangsoal/files/free-robux-hack-us_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000031a1.bin
a1b2c7162300c554a32b75ae5ca7448972c18e82b13ce202500eaf09effe4936		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31A1 26048 bytes
font_01_sfnt_off00006ec8.bin
aeef6a7714c6357f73dd4bac3524810632f54ab1d1528492d13c90d39421ba58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EC8 18992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.