PDF static analysis report

Static analysis result for SHA-256 32b888dac0c2bfca…

SUSPICIOUS

PDF

35.3 KB Created: 2021-07-02 02:37:20 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 8de85bf5d9516b68ac532f5fe533bc27 SHA-1: 168dfa61a9b7aaa1d0aa12f757a9e8c2c7102496 SHA-256: 32b888dac0c2bfcaf55f158eb18ba6f8ac5cb4a5ce2979bec62a531265a8546a
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and a document body that explicitly advertises game hacks and cheats, aiming to trick users into downloading malicious content. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs further supports a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/yin-vs-yang-roblox-cheat-game-hack PDF link annotation
    • http://www.stttekstil.ac.id/elib/repository/roblox-2021-hack_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/roblox-code-free-robux_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/hacks-para-coin-master_GM406889139.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/coin-master-online-hack-tool_GM406889139.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/free-robux-images_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/claim-robux_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/robux-free-robux_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/free-robux-website-no-password_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/can-you-really-hack-coin-master_GM406889139.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/como-hackear-el-juego-coin-master-en-espaol_GM406889139.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/hacking-program-for-roblox-to-hack-accounts_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/free-rpg-games-to-steal-roblox_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/roblox-updated-hack_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/how-to-speed-hack-on-jailbreak-roblox_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/hacks-on-roblox-adopt-me_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/master-coin-hack-game_GM406889139.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/hackear-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/free-coin-master-hacks_GM406889139.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/123-free-robux-is-this-a-hack_GM431946152.pdfIn PDF document text
    • http://www.stttekstil.ac.id/elib/repository/how-to-get-free-unlimited-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000301b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x301B 23520 bytes
SHA-256: 8e89ed91d7c10804e3c09f6e45be3597c652ad00cc719e76e53a821a423d0476
font_01_sfnt_off000064a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x64A7 19172 bytes
SHA-256: 42a6bd186e9af39d7d09291ab908db19381599718c16e2048cef1254b5bccfdf