PDF static analysis report

Static analysis result for SHA-256 0c58b4d9aeb6f3ea…

SUSPICIOUS

PDF

46.0 KB Created: 2021-06-11 09:38:25 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: e2c5d9840d0c8e7785bb00115fbe3ecd SHA-1: 418f8ecb63380b8052135891b4232f330f9d8c92 SHA-256: 0c58b4d9aeb6f3ead18dcca0a906d0db2879f528a96fca962cea96232d5c73f6
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains multiple embedded URLs and a heuristic firing for an external URI, all pointing to sites offering "Robux Hacks". The ML classifier also flagged this PDF as malicious with high confidence. The document body, though partially corrupted, contains references to these lures and the authoring application, suggesting an attempt to trick users into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9864

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/robux-hack-sur-pc-game-hack PDF link annotation
    • https://inspiration-modellbau.de/images/free-robux-hack-us_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/free-avatar-roblox_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/roblox-intriga-injector-free_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/adopt-me-roblox-hacks_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/free-roblox-trolling-tips-for-frappe_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/minecraft-for-free-apk_GM479516143.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/robux-only_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/google-how-do-you-get-free-robux_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/how-to-hack-roblox-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/easy-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/free-hack-tool-robux_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/coin-master-hack-no-human-verification-2021_GM406889139.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/free-robux-please_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/how-to-get-free-robux-games_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/coin-master-free-spons-apk-2021_GM406889139.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/free-spin-coin-master-hacktoman_GM406889139.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/roblox-cheat-engine-shut-down-server_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/free-coin-master-cheats_GM406889139.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/how-to-make-free-shirts-on-roblox_GM431946152.pdfIn PDF document text
    • https://inspiration-modellbau.de/images/free-robux-games-2021_GM431946152.pdfIn PDF document text
    • https://robuxhaxs.comIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000053a8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x53A8 27460 bytes
SHA-256: 236a073b92e87bcb78f201442bfdb3b917c5edee4a5a50270040e70c41c850fc
font_01_sfnt_off000090d7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x90D7 18400 bytes
SHA-256: db666fecd12d597f1d420a4b9d00915bdd4e44b9b3ed30e6eec3592bb4681dff