PDF static analysis report

Static analysis result for SHA-256 14b47081874c0f8e…

SUSPICIOUS

PDF

45.6 KB Created: 2021-06-10 22:11:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 2377c308972fe041df9390e0ce8882d6 SHA-1: caa3743461efad033afe8641891e4aa4c475a6bb SHA-256: 14b47081874c0f8ed920eea21a7b7ee567fccf9b29ec4c2195cae8555e5dbbcd
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded URLs and a heuristic firing for external URIs, all pointing to sites offering game hacks and cheats. The ML classifier also flagged this PDF as malicious with high confidence. The document body, though partially corrupted, contains text related to 'Roblox Noob Army T Shirt Free' and includes URLs that likely lead to the download of further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9864

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/roblox-noob-army-t-shirt-free-game-hack PDF link annotation
    • http://stpc.it/images/minecraft-pe-hacks-ios_GM479516143.pdfIn PDF document text
    • http://stpc.it/images/how-to-hack-and-edit-roblox-permanently_GM431946152.pdfIn PDF document text
    • http://stpc.it/images/free-robux-generator-2021-no-human-verification_GM431946152.pdfIn PDF document text
    • http://stpc.it/images/coin-master-heaven-free-spins-and-coins_GM406889139.pdfIn PDF document text
    • http://stpc.it/images/earn-robux-com_GM431946152.pdfIn PDF document text
    • http://stpc.it/images/free-coin-and-spin-in-coin-master_GM406889139.pdfIn PDF document text
    • http://stpc.it/images/how-to-spawn-hack-in-apocolips-rising-roblox-2021_GM431946152.pdfIn PDF document text
    • http://stpc.it/images/how-to-hack-robux_GM431946152.pdfIn PDF document text
    • http://stpc.it/images/coin-game_GM406889139.pdfIn PDF document text
    • http://stpc.it/images/how-to-get-minecraft-for-free-on-ipad_GM479516143.pdfIn PDF document text
    • http://stpc.it/images/coin-master-hack-tool-ios_GM406889139.pdfIn PDF document text
    • http://stpc.it/images/mcpe-download_GM479516143.pdfIn PDF document text
    • http://stpc.it/images/minecraft-free-download-mac_GM479516143.pdfIn PDF document text
    • http://stpc.it/images/how-to-hack-into-roblox-for-robux_GM431946152.pdfIn PDF document text
    • http://stpc.it/images/coin-master-free-spins-daily_GM406889139.pdfIn PDF document text
    • http://stpc.it/images/roblox-hacking-website_GM431946152.pdfIn PDF document text
    • http://stpc.it/images/real-minecraft-for-free_GM479516143.pdfIn PDF document text
    • http://stpc.it/images/coin-master-free-spins-hacktman_GM406889139.pdfIn PDF document text
    • http://stpc.it/images/free-password-and-logins-for-roblox_GM431946152.pdfIn PDF document text
    • http://stpc.it/images/coin-master-hack-ios-2021_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x51DA 26812 bytes
SHA-256: dc8a53e23bf63e3e2a7b02f6279dac691813ac336ae0f2e1ecba4023429d5328
font_01_sfnt_off00008e7f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8E7F 18780 bytes
SHA-256: 43ee0349b5c924812d49fd5cdb9e5d264660743f2a5c808ad3029bc0fd1a4b12