PDF static analysis report

Static analysis result for SHA-256 332bb81c2eee5ce2…

SUSPICIOUS

PDF

33.3 KB Created: 2021-06-20 21:50:23 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 7a8e84a1059dc99d924744c40ff4edbd SHA-1: 56ceab63cbfafa25b5329b037db8fb7485ac827e SHA-256: 332bb81c2eee5ce25073754616bc21ae38ca002c89e395936f9d064013450768
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a clear lure related to obtaining free items in the game Roblox, as indicated by the document body and the embedded URL. The ML classifier strongly flagged this PDF as malicious, and the presence of an external URI further supports a malicious intent. The document likely serves as a phishing lure or a gateway to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/how-to-get-free-wings-on-roblox-game-hack PDF link annotation
    • https://www.stayon.no/images/hack-mod-coin-master_GM406889139.pdfIn PDF document text
    • https://www.stayon.no/images/how-to-cheat-on-boxing-simulator-2-roblox_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/dead-winter-roblox-hack_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/how-to-get-minecraft-for-free-on-xbox-one_GM479516143.pdfIn PDF document text
    • https://www.stayon.no/images/coin-master-free-spins-link-2021-no-verification_GM406889139.pdfIn PDF document text
    • https://www.stayon.no/images/free-robux-code-thai_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/coin-master-hack-game-download_GM406889139.pdfIn PDF document text
    • https://www.stayon.no/images/roblox-hacked-bloxy_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/free-robux-that-actually-works_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/free-robux-app-real_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/robux-hack-free-robux_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/how-to-hack-all-games-on-roblox_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/daily-free-spin-coin-master-link_GM406889139.pdfIn PDF document text
    • https://www.stayon.no/images/free-spins-coin-master-generator_GM406889139.pdfIn PDF document text
    • https://www.stayon.no/images/how-to-hack-roblox-games-without-cheat-engine_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/how-you-hack-roblox_GM431946152.pdfIn PDF document text
    • https://www.stayon.no/images/coin-master-email-rewards_GM406889139.pdfIn PDF document text
    • https://www.stayon.no/images/coin-master-website_GM406889139.pdfIn PDF document text
    • https://www.stayon.no/images/wwwcoin-master-hack-game-download_GM406889139.pdfIn PDF document text
    • https://www.stayon.no/images/coin-master-hack-app-ios-download_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D8A 21396 bytes
SHA-256: 0585ffcddcfbd39b12b6024e8d98171ca6369c9dc605b2c69c2fdd92c8e4b2df
font_01_sfnt_off00005c73.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5C73 19236 bytes
SHA-256: 92c8fb10159f4e5712e427132f457a4645372cd86bba8d4c09f1091e17f11185