Malicious PDF — malware analysis report

Static analysis result for SHA-256 924bb67a51a21fb6…

MALICIOUS

PDF

49.4 KB Created: 2021-06-10 13:35:25 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 8711e958074faf6c998881bae94c2441 SHA-1: 7c851b174fc6e27cc624bb53d95c92661c44de09 SHA-256: 924bb67a51a21fb6f38caa321df23043636ea3d888063c5da169d2eb4784c4b8
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains multiple embedded URLs pointing to sites offering game exploits and virtual currency, suggesting a lure for users to download potentially malicious files. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs and callback lures reinforces the malicious intent. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/is-overdrive-roblox-exploit-free-game-hack
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/free-robot-animation-roblox_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/free-robux-no-human-identification_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/how-to-get-free-robux-2021_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/roblox-slurp-hack-download_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/how-to-get-roblox-gift-cards-for-free_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/javascript-robux-free_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/free-views-tiktok_GM835599320.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/roblox-cheats-how-to-get-unlimited-robux_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/coin-master-free-coins-2021_GM406889139.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/roblox-hack-download-2021-android_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/jailbreak-roblox-free-money-hack_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/easy-parkour-robux-hack_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/free-roblox-accounts-2021-with-robux-may_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/how-to-get-free-robux-on-mobile_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/roblox-free-build_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/how-to-hack-into-someones-roblox-account_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/robloxmatchcom-free-robux_GM431946152.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/free-tiktok-like_GM835599320.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/minecraft-for-chromebook-free_GM479516143.pdf
    • http://test.xdialogue.nl/wp-content/uploads/fsqm-files/free-roblox-injectors-list_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005285.bin
5f85d5b053d8d879c7871d38dad4403f9bfa7db6c5123bb841482c2e9e723628		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5285 26984 bytes
font_01_sfnt_off0000908d.bin
40b61f8938bd710dc29dc58ba3fde91c245a6a69596ec569b4d27c769ca417cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x908D 3884 bytes
font_02_sfnt_off00009d35.bin
b571b23ced28404cca165c7d2541a3b4e03d14de04803de039160b5c377a8bb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D35 18636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.