PDF static analysis report

Static analysis result for SHA-256 3a1193812b45dd45…

SUSPICIOUS

PDF

33.4 KB Created: 2021-07-03 11:43:52 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 617fa86e9e5ae7ad3f2a66186c171bcc SHA-1: 148afd7b2b08b12446479d9cad1a2f02c54709e0 SHA-256: 3a1193812b45dd45b7115c155e9c894570590022bca494a525c2f14fc1351cba
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains embedded URLs and a document body that explicitly mentions collecting Robux and hacking games, indicating a lure for users to download potentially malicious applications. The ML classifier strongly flagged this PDF as malicious, supporting the assessment that it is designed for user deception and payload delivery. The primary IOC is the URL http://netcdn.tw/app/431946152/collect-robux-game-hack, which is likely the download location for the secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/collect-robux-game-hack PDF link annotation
    • http://digilib.unbari.ac.id/repository/coin-master-32-hack-apk_GM406889139.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/coin-master-sound-daily-free-spins-link-today_GM406889139.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/how-to-hack-someones-roblox-account-with-cheat-engine_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/how-to-hack-using-roblox-client_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/roblox-egg-hunt-2021-hack-script_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/roblox-colouring-pages-free_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/how-to-get-free-robux-no-survey_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/best-free-hair-for-roblox_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/static-moonactive-net-link_GM406889139.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/roblox-login-hack_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/how-to-get-any-roblox-gamepass-for-free-2021_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/earn-free-roblox-gift-cards-legits_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/where-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/roblox-gear-cheat_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/coin-master-hack-2021-apk-download_GM406889139.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/coin-master-free-spins-ios-app_GM406889139.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/pastebin-roblox-free-catalog-dominus_GM431946152.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/classic-minecraft-net-hacks_GM479516143.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/coin-master-spins-hack_GM406889139.pdfIn PDF document text
    • http://digilib.unbari.ac.id/repository/get-free-roblox_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e52.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E52 21792 bytes
SHA-256: 418cbb124ecae28103017ff6203f3bb9c4e57cb5960196837488922187b604ea
font_01_sfnt_off00005e30.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5E30 18728 bytes
SHA-256: d66c08f78f239917c4ec7ae029ac685f0727a5c25a17f7bea25f393002770508