Malicious PDF — malware analysis report

Static analysis result for SHA-256 d84e1baa1af74b58…

MALICIOUS

PDF

38.9 KB Created: 2021-05-20 13:10:31 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 2dcd1210c39e1316d6b546df3b75805b SHA-1: bc2419cdeb0590db96878c87b3a648ff0578f938 SHA-256: d84e1baa1af74b585d52b08d12e1d35152b3f83033467a326b9ae73c8f69994b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains text and embedded URLs that promote a fake Roblox account hacking tool. The heuristic firings indicate the presence of external URIs and a general ML classification of maliciousness. The document body explicitly contains links to external sites promising game hacks, suggesting a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9476

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-hack-roblox-accounts-on-phone-game-hack
    • http://safari-crimea.com/images/daily-coin-master-spins_GM406889139.pdf
    • http://safari-crimea.com/images/game-hack-coin-master_GM406889139.pdf
    • http://safari-crimea.com/images/how-to-get-real-robux_GM431946152.pdf
    • http://safari-crimea.com/images/free-robux-rewards_GM431946152.pdf
    • http://safari-crimea.com/images/roblox-hacks-2021_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003453.bin
0e0c676348e63273053cee7d10ab0d8a7ddca8e94a59d13f980ba13ffd58b80c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3453 29008 bytes
font_01_sfnt_off000074ff.bin
92714a2af62378a1839a0ba08facac9787f9fdc52ffb1ff0f3d5734c2bdfa821		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74FF 18908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.