Malicious PDF — malware analysis report

Static analysis result for SHA-256 b15a695083e1077d…

MALICIOUS

PDF

35.3 KB Created: 2021-05-23 15:02:44 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: b0918411c64a1e217e257469fe4acb64 SHA-1: e8e6eec9c818adfcdec665cc318e3eee3b3b5c90 SHA-256: b15a695083e1077deeb2b78d2b4a5c3e72914b89415516701f956c63599a5daa
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a visual call-to-action, strongly suggesting a phishing or scam attempt. The document body and heuristics indicate a lure for "Free Robux" or "game hacks", directing users to external links that likely host further malicious content or downloads. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9648

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-survey-game-hack
    • https://www.colditex.com/images/how-to-hack-coin-master-in-pc_GM406889139.pdf
    • https://www.colditex.com/images/is-roblox-free-on-pc_GM431946152.pdf
    • https://www.colditex.com/images/coin-master-hack-no-human-verification_GM406889139.pdf
    • https://www.colditex.com/images/how-to-download-minecraft-for-free-on-pc_GM479516143.pdf
    • https://www.colditex.com/images/freer-tiktok_GM835599320.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000030b7.bin
beb68e0740b815333bd09cad731c2b849a0e7a9dc2d27d254ee84c34fad924f5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30B7 24524 bytes
font_01_sfnt_off0000686e.bin
74a940f1217583ab80956cd168fb81f959241543e2b3413e790743682303989f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x686E 18308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.