Malicious PDF — malware analysis report

Static analysis result for SHA-256 8630b75b2bf95660…

MALICIOUS

PDF

35.3 KB Created: 2021-06-17 22:20:26 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: cc164fa8edab1409cb87e83c6f67df9d SHA-1: b8af86bef74c0c6b3f3b9d6311876099d0119b11 SHA-256: 8630b75b2bf95660ed97b7fc4f28cb2fbc414ca5ac0e133ad3e6451339cdfa22
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains numerous embedded URLs and a document body that explicitly mentions "Free Roblox Exploit Dll" and "game hack", indicating a lure for users seeking cheats or exploits. The presence of a "PDF_SEO_LINK_FARM" heuristic firing, along with a high ML confidence score, strongly suggests malicious intent. The document likely serves as a phishing or malware distribution vector, directing users to download potentially harmful files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-roblox-exploit-dll-namedpipe-game-hack
    • http://sudamericarural.org/images/app-store-coin-master-free-spins_GM406889139.pdf
    • http://sudamericarural.org/images/coin-master-hacks-no-surveys_GM406889139.pdf
    • http://sudamericarural.org/images/free-robux-no-verification-no-survey_GM431946152.pdf
    • http://sudamericarural.org/images/how-to-hack-into-someones-roblox-account_GM431946152.pdf
    • http://sudamericarural.org/images/can-i-get-robux-for-free_GM431946152.pdf
    • http://sudamericarural.org/images/coin-master-free-spins-link-2021-today_GM406889139.pdf
    • http://sudamericarural.org/images/how-to-earn-robux-for-free-2021_GM431946152.pdf
    • http://sudamericarural.org/images/how-can-i-get-free-spins-on-coin-master_GM406889139.pdf
    • http://sudamericarural.org/images/free-robux-app_GM431946152.pdf
    • http://sudamericarural.org/images/free-tiktok-likes-without-verification_GM835599320.pdf
    • http://sudamericarural.org/images/how-to-hack-roblox-accounts-on-phone_GM431946152.pdf
    • http://sudamericarural.org/images/free-minecraft-accounts-2021_GM479516143.pdf
    • http://sudamericarural.org/images/coin-master-free-coins-and-spins-daily_GM406889139.pdf
    • http://sudamericarural.org/images/roblox-phantom-forces-hack_GM431946152.pdf
    • http://sudamericarural.org/images/coinmaster-spins_GM406889139.pdf
    • http://sudamericarural.org/images/free-robux-no-human-verification-2021_GM431946152.pdf
    • http://sudamericarural.org/images/block-best-robux_GM431946152.pdf
    • http://sudamericarural.org/images/coin-master-free-spin-no-offers_GM406889139.pdf
    • http://sudamericarural.org/images/getrobux-info_GM431946152.pdf
    • http://sudamericarural.org/images/tradelands-roblox-cheats-see-in-dark_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030b8.bin
8c274e7dcfab7bbe308e3f98b7b3468e9f7b2ec0b1b8378f68f0b14db4fb337a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30B8 23016 bytes
font_01_sfnt_off000063b7.bin
ae34534bc66e811247d0291d892e00c2b009c888c849526c4842df1f76c9d5e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63B7 19464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.