PDF static analysis report

Static analysis result for SHA-256 3658f50e07670d12…

SUSPICIOUS

PDF

33.8 KB Created: 2021-06-25 20:51:31 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 68414fc1a71c563cfd0d860baf1646a9 SHA-1: 55b3fac8d11d653eb3ad76897e7812767c0db3a4 SHA-256: 3658f50e07670d12ece6e5bf1906b3f493ddc72d7c9e24974950348b998b0020
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded URLs and document body text that explicitly advertise free in-game items for popular games, aiming to trick users into downloading potentially malicious content. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs further supports a malicious intent to redirect users to harmful sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-roblox-rich-accounts-game-hack PDF link annotation
    • https://perpustakaan.unitomo.ac.id/repository/how-to-get-free-robux-2021_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/robux-hack-apk-android_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/minecraft-games-free-download_GM479516143.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/free-combo-list-roblox_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/blue-roblox-hack_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/how-to-get-free-robux-one-step_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/videos-on-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/free-robux-hack-on-ios_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/how-to-get-free-pets-in-roblox-pet-simulator_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/roblox-promo-codes-free-robux_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/coin-master-hack-https-coinms-net_GM406889139.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/roblox-hack-site_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/roblox-wizard-life-cheats_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/banditmask-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/coin-master-free-spin-today_GM406889139.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/how-to-get-free-robux-no-hacks-glitches-or-troll_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/codes-for-free-clothing-on-roblox_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/noob-vs-pro-vs-hacker-vs-god-roblox-bloxburg_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/roblox-help-free-robux_GM431946152.pdfIn PDF document text
    • https://perpustakaan.unitomo.ac.id/repository/create-roblox-gift-card-free_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e5a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E5A 21888 bytes
SHA-256: bb8cb81ec20282ff0d5a07c265afc856bdd884d61f03ad186db72421e44b3e7c
font_01_sfnt_off00005ed3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5ED3 19180 bytes
SHA-256: 54b9e1b5e78ea99b7c90cb2ccd1853f400c15e859a1e7ad7c45faa40b4565b2d