PDF static analysis report

Static analysis result for SHA-256 0e29dcfd332a22e6…

SUSPICIOUS

PDF

35.8 KB Created: 2021-07-01 09:58:59 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 890f2fa847652a637cdbdf4eff6efff8 SHA-1: ea6683c2da5c38625ea707dfd79850dff73bb103 SHA-256: 0e29dcfd332a22e63bc1de54f4c023379a2e1b33d4f27166ffb10528d658d3fd
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains lures related to 'free Roblox promo codes' and 'Robux', directing users to external URLs that likely host malicious content or further phishing attempts. The ML classifier strongly flagged this PDF as malicious, and the presence of embedded URIs supports a phishing or malware distribution vector. No scripts were extracted, but the document's structure and content suggest it's part of a social engineering campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-roblox-promo-codes-for-robux-2021-game-hack PDF link annotation
    • https://c2o-library.net/catalog/repository/coin-master-free-spins-link-no-verification-2021_GM406889139.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/roblox-hacks-for-computer_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/synapse-roblox-cheat_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/free-scakado-remix-roblox-id_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/how-to-change-your-username-on-roblox-for-free-2021_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/how-to-execute-localscripts-on-roblox-hack_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/redeem-promo-codes-for-free-robux_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/speed-hack-roblox-2021_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/good-roblox-hacks_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/cheat-roblox-prison-break_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/is-minecraft-earth-free_GM479516143.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/wurst-115-2_GM479516143.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/developer-tools-hack-roblox_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/free-roblox-accounts-2021-with-robux_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/all-free-roblox-2021-accessories_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/how-to-get-free-robux-without-verification-or-surveys_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/monttechscom-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/how-do-i-get-free-coins-on-coin-master_GM406889139.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/free-robux-on-phone_GM431946152.pdfIn PDF document text
    • https://c2o-library.net/catalog/repository/cheat-engine-roblox-no-cooldown_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000032a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32A3 22572 bytes
SHA-256: 73cbaa9552edeb2ee20361b93c57f0805bf4ee73441c97a36215f73c7c6881b0
font_01_sfnt_off000064f4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x64F4 19780 bytes
SHA-256: 1d49abb43ad5ffbf0aa70993833f1925edecc6488cb1510eae02db0b64ef0ab0