Malicious PDF — malware analysis report

Static analysis result for SHA-256 beb68711d80b8e1d…

MALICIOUS

PDF

32.6 KB Created: 2021-07-19 20:55:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 6a8a5b68be1699d7a786383dd58d8b95 SHA-1: bdb0357e50ce1f6bfc9dfe4e154eb0efba35df06 SHA-256: beb68711d80b8e1d2b056e20c26ca75432cf29ca8edb22409441418905de5a13
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains multiple embedded URLs and a prominent call-to-action for a "Free Robux Website" or "Robux Generator", indicating a phishing or scam attempt. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs further supports this assessment. The document's content and heuristics suggest it is designed to trick users into visiting malicious websites, likely for credential harvesting or to deliver further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9900

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/free-robux-website-game-hack
    • https://ambarevleri.com/images/how-to-get-minecraft-java-edition-for-free_GM479516143.pdf
    • https://ambarevleri.com/images/minecraft-windows-10-free-with-java_GM479516143.pdf
    • https://ambarevleri.com/images/how-to-get-free-robux-on-phone_GM431946152.pdf
    • https://ambarevleri.com/images/coin-master-fan-page-free-spins_GM406889139.pdf
    • https://ambarevleri.com/images/how-to-hack-roblox-accounts-on-phone_GM431946152.pdf
    • https://ambarevleri.com/images/minecraft-windows-10-edition-unlock-full-game-free_GM479516143.pdf
    • https://ambarevleri.com/images/free-robux-without-verification_GM431946152.pdf
    • https://ambarevleri.com/images/how-to-get-free-tiktok-followers_GM835599320.pdf
    • https://ambarevleri.com/images/how-to-get-minecraft-bedrock-edition-for-free_GM479516143.pdf
    • https://ambarevleri.com/images/free-robux-pastebin_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000029ab.bin
7ae9fed58957a4ab6028065db04c18427c715bf6bf8b2d9a68ccfae9c89ebd5a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29AB 22664 bytes
font_01_sfnt_off00005c35.bin
1505002d6ea1bdfb5df8555ad3fb0955e96c48ae23d69b78f4b624628793cc75		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C35 18620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.