Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbdea1c422731dc8…

MALICIOUS

PDF

43.4 KB Created: 2021-05-22 10:18:21 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 133507e35fbbc3629db7f2039d100b23 SHA-1: 572dbf3bc3c56a8c97ae8e480c8f95ac2fc8200b SHA-256: fbdea1c422731dc8d92daea5488d72be642e6b044ecf43ea819960e54c7a47d5
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded links and text promoting 'Coin Master Daily Free Spins' and 'free Robux', which are common lures for scams and phishing. The ML classifier also flagged the PDF as malicious. While no scripts were explicitly extracted, the presence of external URIs and the nature of the lures suggest an attempt to redirect the user to a malicious website, likely for credential harvesting or to deliver further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7947

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-daily-free-spins-game-hack
    • http://pesok-rk.ru/images/how-to-hack-roblox-accounts-on-phone-2021_GM431946152.pdf
    • http://pesok-rk.ru/images/get-me-robux-for-free_GM431946152.pdf
    • http://pesok-rk.ru/images/free-robux-codes-2021-real_GM431946152.pdf
    • http://pesok-rk.ru/images/roblox-studio-free-robux_GM431946152.pdf
    • http://pesok-rk.ru/images/coin-master-free-stuff_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003758.bin
0af444847e2b663b4facb965c6914b13a7a217ec8692f3b380632446471f1bd2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3758 25360 bytes
font_01_sfnt_off00007089.bin
a17c2a746d49ac23b23e38a371e32fddecfcd91b10cf42ff6155bff6b8a07e91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7089 4028 bytes
font_02_sfnt_off00007e29.bin
6fd7c7f447d66842f81aa8cf197935b17f22157d0c7e9f95622df1b5b4ddf530		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E29 2788 bytes
font_03_sfnt_off00008818.bin
e42bde5f0ce420544e36e42831a39ceefa2103814e02a0c87b67b282abd28734		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8818 18308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.