Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf7751559f4b69bd…

MALICIOUS

PDF

40.1 KB Created: 2021-05-20 15:09:40 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: d237f2bb34c356cd2b99a671ff2cce91 SHA-1: 58bc4688d871861d7076e29e75a6dde588839d32 SHA-256: bf7751559f4b69bdf66c4810304ed5d008335e716f23cd5d0bb305e2475314d2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a call-to-action phrase, 'CLICK HERE TO ACCESS ROBLOX GENERATOR', suggesting a phishing or scam attempt. The ML classifier also flagged this PDF as malicious. The document body and heuristics indicate the lure is related to hacking Roblox accounts or obtaining free spins for Coin Master, directing users to potentially malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8010

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-hack-peoples-roblox-accounts-game-hack
    • http://moskewicz.com/images/game-hunters-coin-master_GM406889139.pdf
    • http://moskewicz.com/images/roblox-zone-free-robux_GM431946152.pdf
    • http://moskewicz.com/images/coin-master-100-free-spins-link_GM406889139.pdf
    • http://moskewicz.com/images/hack-coin-master-game-apk-download_GM406889139.pdf
    • http://moskewicz.com/images/coin-master-daily-free-spins-link_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000331a.bin
5a4d00303c961388f936312e658a1801190340fd0e266ef4eefcf39a5386a92b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x331A 26636 bytes
font_01_sfnt_off00006e9d.bin
4c3e2db5174821787a4569c9da4979555510caebd15fb9cea35573c139e242bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E9D 3016 bytes
font_02_sfnt_off00007901.bin
cd7407ef9aef6c4c50b1fdf01e763fd2e22944ade267215dee183f168e7b87f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7901 18920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.