PDF static analysis report

Static analysis result for SHA-256 0e0d29eb644cfe53…

SUSPICIOUS

PDF

46.5 KB Created: 2021-05-12 17:00:05 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 8d5d7ab3ff39048ecfa2b09a509305e5 SHA-1: 4deded884b3976ea90b747009137fe7a9895b559 SHA-256: 0e0d29eb644cfe532a2d4e702827c4029de24c7bb44c42cecdb23ade5a2606bc
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous URLs and text related to obtaining free Robux, suggesting a lure for users to download a payload. The ML classifier flagged this PDF as malicious with high confidence. While no scripts were explicitly extracted, the presence of external URIs and the document's theme indicate an attempt to trick users into downloading potentially harmful files, likely through a spearphishing attachment vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8948

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/can-you-give-me-free-robux-game-hack PDF link annotation
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/freerubux_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/free-robux-generator-without-human-verification_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/roblox-free-wings_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/minecraft-fly-hack_GM479516143.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/how-to-get-robux-for-free-2021_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/coin-master-coin-link_GM406889139.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/roblox-free-robux-no-human-verification_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/bux-gg-robux-free_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/microsoft-robux_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/claim-free-robux_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/minecraft-windows-10-free-code_GM479516143.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/coin-master-free-link_GM406889139.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/free-spin-and-coin-blogspot_GM406889139.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/how-to-hack-roblox-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/free-coin-master-hacks-no-verification-or-survey_GM406889139.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/minecraft-bedrock-for-free_GM479516143.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/free-spins-and-coins-for-coin-master-game_GM406889139.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/como-hackear-el-juego-coin-master-en-espaol_GM406889139.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/tower-of-hell-roblox-hack_GM431946152.pdfIn PDF document text
    • https://ptun-denpasar.go.id/new/public/ckfinder/userfiles/files/free-spins-coin-master-2021-today_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004b3c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B3C 26096 bytes
SHA-256: ccda8048c24cacadd3301d4c90da7ed29bd5802af56d5aa49de22a1e0f0fc51c
font_01_sfnt_off000087ef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x87EF 2880 bytes
SHA-256: 10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132
font_02_sfnt_off000091d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x91D9 18836 bytes
SHA-256: f7ef8038c45e68508aae9bb0b63a3af28c92eee5ac21090050d85675c825651a