PDF static analysis report

Static analysis result for SHA-256 2bdfe782624f7782…

SUSPICIOUS

PDF

44.1 KB Created: 2021-05-22 22:08:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: b8294fa6446f6c683a075fcada617302 SHA-1: 55c0f2aac0e3b8d1068ad0f479a1ee8dc2bd5bcb SHA-256: 2bdfe782624f77824b8ddcb3685627d85b1c98759c19ba98c22f995cf5202cd4
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and text that lure the user towards websites promising free in-game currency (Robux, Coin Master spins). The ML classifier flagged this PDF as malicious, and the presence of multiple suspicious URLs reinforces this finding. The document body explicitly mentions 'CLICK HERE TO ACCESS ROBLOX GENERATOR', indicating a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7947

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-get-free-robux-game-hack PDF link annotation
    • http://elearning.maspro.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link_GM406889139.pdfIn PDF document text
    • http://elearning.maspro.sch.id/__statics/gudangsoal/files/how-to-buy-robux-for-free_GM431946152.pdfIn PDF document text
    • http://elearning.maspro.sch.id/__statics/gudangsoal/files/how-to-get-free-hats-on-roblox_GM431946152.pdfIn PDF document text
    • http://elearning.maspro.sch.id/__statics/gudangsoal/files/apps-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://elearning.maspro.sch.id/__statics/gudangsoal/files/coin-master-hacks-and-cheats_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000033a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33A7 27580 bytes
SHA-256: 247794d3a0ad1aeb4cdcaeab8325ffe9e88438d97d812f69a3290a110a924786
font_01_sfnt_off000073f1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x73F1 2852 bytes
SHA-256: e9630f3bb738ae3bc329a423cf069c8035d70ce2227e3557c42815f85ad3284f
font_02_sfnt_off00007dae.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7DAE 5696 bytes
SHA-256: 450e3ee45915afe13702bf1d587eb8b9ad88a8d2113419ac9f2fd116a828e139
font_03_sfnt_off00008abf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8ABF 18280 bytes
SHA-256: 2eeeedfcb2f224ab556fa0ab031baeab03f86dcbcf90e3baaaf5b6d88536dec3