PDF static analysis report

Static analysis result for SHA-256 1433a87c746f93f4…

SUSPICIOUS

PDF

52.5 KB Created: 2021-06-03 06:51:28 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 70fc471325bb96807a6b02136574e76b SHA-1: 35a222d42f556d03332dbac7c9a10a4d8de09b3b SHA-256: 1433a87c746f93f436a2e6b70664da07c0aec6d88ba5b4050b79a77f49ed40d4
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded URLs and a heuristic firing for external URIs, all pointing to sites offering game hacks and in-game currency. The document body, though partially corrupted, includes references to 'Roblox 2021 Hack' and similar lures, reinforcing the phishing attempt. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9657

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/431946152/roblox-2021-hack-game-hack PDF link annotation
    • https://www.stylafik.in/uploaded_files/userfiles/files/free-robux-that-actually-works-2021_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/how-do-you-get-free-robux_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/free-robux-com_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/roblox-2021-hack_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/claim-free-robux-button_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/hack-coin-master-for-android_GM406889139.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/robux-free-gift-card-org-hack_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/free-spins-promo-code-for-coin-master_GM406889139.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/static-moonactive-net-link_GM406889139.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/coin-master-free-spins-link-today-new-2021_GM406889139.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/can-you-get-free-robux-on-roblox_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/how-to-get-free-cards-on-coin-master_GM406889139.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/hack-coin-master-no-verification_GM406889139.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/roblox-robux_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/free-roblox-gift-card_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/master-coin-hack-app_GM406889139.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/how-to-hack-roblox_GM431946152.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/coin-master-free-spins-link-download_GM406889139.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/free-spins-and-coins-com_GM406889139.pdfIn PDF document text
    • https://www.stylafik.in/uploaded_files/userfiles/files/best-free-minecraft-hacked-client_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00004f70.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4F70 28692 bytes
SHA-256: 9442d33e3a6e601afc3e6a6ab41ce05e8c82cc74f294eba4b528e4329704c2ff
font_01_sfnt_off00008fb3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8FB3 3608 bytes
SHA-256: 608f0dd4f6bfb6adbccec84228618ee8e4c9e09226d7330efb5300e499d1567f
font_02_sfnt_off00009c36.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9C36 5696 bytes
SHA-256: 450e3ee45915afe13702bf1d587eb8b9ad88a8d2113419ac9f2fd116a828e139
font_03_sfnt_off0000a947.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA947 18584 bytes
SHA-256: 0d052e0fccd73391d0e4376686c91c36ea26f223879c53cf61dff021e779cee2