Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2f0b630c3579198…

MALICIOUS

PDF

51.6 KB Created: 2021-05-31 19:17:27 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: d116592a8a014f4c74723fe756b77aa4 SHA-1: 0edaca72cdfb5b352e4a4ad917fca06e62dc0491 SHA-256: c2f0b630c3579198e3693d853c3e88388c97c47cddaea5d13da4ca79d59cc40a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains multiple embedded URLs and a prominent link in the body text, all related to obtaining free items or hacks for online games. This pattern is consistent with phishing or malware distribution lures. The ML classifier also flagged this PDF as malicious with high confidence. No scripts were extracted, but the presence of external links suggests a potential download or redirection to a malicious site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9685

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-get-free-stuff-roblox-march-2021-game-hack
    • https://acode.com.br/wp-content/uploads/fsqm-files/tiktok-viewer-free_GM835599320.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/roblox-hack-me_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/free-robux-redeem-codes_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/free-robux-roblox-promo-codes_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/roblox-hack-new-dtfb-test_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/free-robux-websites-2021_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/paste-bin-robux-hack_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/free-minecraft-alt-accounts_GM479516143.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/minecraft-free-download-iphone_GM479516143.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/coin-master-hack_GM406889139.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/how-to-get-free-robux-no-verification_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/coin-master-free-spins-link_GM406889139.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/roblox-juwelen-hack-mad-paintball_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/how-do-you-get-robux-on-roblox-for-free-2021_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/free-coins-on-coin-master_GM406889139.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/free-minecraft-skin-maker_GM479516143.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/hack-robux_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/how-to-get-robux-for-free-2021_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/gears-online-roblox-hack_GM431946152.pdf
    • https://acode.com.br/wp-content/uploads/fsqm-files/is-tiktok-free_GM835599320.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005105.bin
8f1fa0c43b7b87ae59d45d76d4ba609239272a1ccbe57920139bb2c7ec4dbb3a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5105 25412 bytes
font_01_sfnt_off00008c1e.bin
4c3e2db5174821787a4569c9da4979555510caebd15fb9cea35573c139e242bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C1E 3016 bytes
font_02_sfnt_off0000967d.bin
450e3ee45915afe13702bf1d587eb8b9ad88a8d2113419ac9f2fd116a828e139		 pdf-font-stream PDF embedded font (sfnt) at offset 0x967D 5696 bytes
font_03_sfnt_off0000a38f.bin
a662573db403246f41db1ecaa5399c75f4a46779b028847479ae28b0dbcf0edd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA38F 19348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.