Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad6a83fea6685cec…

MALICIOUS

PDF

40.8 KB Created: 2021-04-23 07:46:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 38d73e490b027816596c58c3b3d6c18c SHA-1: 6f03631927e5bc5b16cad1102ae13457ca650329 SHA-256: ad6a83fea6685cecfbbd30b3a086348b05e51c770500132c569d2e26da2a93cb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded URLs advertising game exploits and hacks, strongly suggesting a lure to download malicious content. The presence of a 'callback phishing phone lure' heuristic indicates a potential social engineering tactic to trick users into calling for fake support or billing issues. While no scripts were directly extracted, the ML classifier and URI findings indicate a high likelihood of malicious intent, possibly involving a secondary payload download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netsecure.pro/app/431946152/roblox-exploit-executers-free-game-hack
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/roblox-pet-simulator-pet-hack.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/se-puede-hackear-nighthawk-imperoum-roblox.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/how-to-hack-roblox-jailbreak-noclip-2021.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/free-roblox-rb-world-hacks.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/free-obc-accounts-roblox.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/fps-free-games-best-on-roblox-2021-easter.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/roblox-adopt-me-free-ride.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/how-to-get-free-ro-robux.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/free-money-hack-roblox.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/roblox-freebies-hack-robux.pdf
    • https://freerobux.cyou
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004111.bin
792de30a44a482af3c2251ee55c148a3530b205861c53d9dc2f01db778090e7d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4111 26024 bytes
font_01_sfnt_off00007d1b.bin
73e4343c584fae168ac3ea97b441db61affada72e47beababfd8e0e49fab6a9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D1B 18488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.