PDF static analysis report

Static analysis result for SHA-256 3e43a88da921101c…

SUSPICIOUS

PDF

43.3 KB Created: 2021-05-01 10:36:21 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: c6c6bbbb0bdfbd8985cf79fccac6c9e9 SHA-1: 211bef668f0e9bb5c45e6f9092b6e87b7bdac07b SHA-256: 3e43a88da921101c3779360259c1263add3fc0e84a49cc1b09da512588c0ab9e
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded URLs and a visual download button lure, suggesting it is designed to trick users into downloading further malicious content. The ML classifier also flagged this PDF as malicious with high confidence. The document body and extracted URLs indicate a theme of providing hacks or free items for the game Roblox, a common lure for malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9868

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/fan-free-games-roblox-game-hack PDF link annotation
    • http://technibuild-group.com/uploaded_files/userfiles/files/roblox-dragon-ball-rage-hack-script-pastebin-2021.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/robloxs-got-talent-painting-hack.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/free-robux-with-no-games.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/roblox-strucid-free-skin.pdfIn PDF document text
    • http://technibuild-group.com/uploaded_files/userfiles/files/add-robux-for-free.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/knife-server-roblox-hack-script-pastebin.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-to-get-book-wings-in-roblox-for-free.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/free-roblox-toy-june-2021.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-to-do-you-get-a-free-robux.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-yo-hac-roblox-and-get-a-key-card-hack.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000043af.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x43AF 25704 bytes
SHA-256: 2593e294fa815deb51552bf6669714cdda9322e8abd37792416e1bbca3fa8f82
font_01_sfnt_off00007d39.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7D39 2832 bytes
SHA-256: 77ae1c4cffa647a8fd533dfa4102e94364989f9e80b9cd131876e9d1005899a2
font_02_sfnt_off000086e9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x86E9 18436 bytes
SHA-256: cf1861e6d5c3d94e34a12fcdcefefe0e0b64b1cd4b6aba363dfb59e35d1ed36d