PDF static analysis report

Static analysis result for SHA-256 3caab4ab5c1982f6…

SUSPICIOUS

PDF

50.6 KB Created: 2021-05-13 21:40:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 7114cfbbe07c7ac019b265b0b984a6ad SHA-1: 4e04fd9a54542b18b3a60fe8b25d053f2b5e54dd SHA-256: 3caab4ab5c1982f671703a8f886603a01d51ae93c2e75a3c01408f1bc9f3f340
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains embedded URLs and a visual call-to-action, suggesting it is designed to trick users into downloading further content. The ML classifier also flagged this PDF as malicious, increasing confidence in its suspicious nature. The primary lure appears to be related to free items for the game Roblox.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8594

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-roblox-clothes-boy-game-hack PDF link annotation
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/100-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/how-to-get-robux-for-free-2021_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/roblox-earn_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/free-robux-no-verification-at-all_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/all-links-for-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/hacks-for-minecraft-bedrock_GM479516143.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/roblox-free-robux-com_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/how-to-get-free-roblox-premium_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/2021-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-2021_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-blogspot_GM406889139.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-on-roblox_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/minecraft-fly-hack_GM479516143.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/rblx-gg-free-robux_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/coin-master-mod-apk-latest-hack-with-unlimited-free-spins_GM406889139.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/how-can-i-get-free-robux_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/free-spin-coin-master-instagram_GM406889139.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/coin-master-2021_GM406889139.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/is-roblox-hacked_GM431946152.pdfIn PDF document text
    • https://ekbm.mankotapasuruan.sch.id/__statics/gudangsoal/files/huskybuckscom-free-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004b16.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B16 25812 bytes
SHA-256: ec3793863ff82bbf18be00a5dde0a9f5195c2ae77e2f3a663ecc99afc121f30a
font_01_sfnt_off00008781.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8781 3884 bytes
SHA-256: 40b61f8938bd710dc29dc58ba3fde91c245a6a69596ec569b4d27c769ca417cf
font_02_sfnt_off00009424.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9424 6100 bytes
SHA-256: f866077ce59d6ea276f75e4af76daa2aab5f3a1a679df144776123d85664d65c
font_03_sfnt_off0000a2b0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA2B0 18400 bytes
SHA-256: ff0928d05cd2328f5f6db263fee94a7b5023d77c4cae175890f1311eb4a8d902