PDF static analysis report

Static analysis result for SHA-256 409f572353a27baa…

SUSPICIOUS

PDF

48.6 KB Created: 2021-06-11 01:09:11 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 3b27de1f3f3b684c2229814647f45a5a SHA-1: c52ef00935ab0633fd6b0d4fa3e639986bfde50b SHA-256: 409f572353a27baa16ac4643978f56ced578b4718c103442952b6e9527420a6b
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a lure for free Robux, directing users to a suspicious URL. The ML classifier flagged the PDF as malicious with high confidence. Although no scripts were explicitly extracted, the presence of embedded URLs and the document's content suggest an attempt to trick users into visiting malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/how-to-get-free-robux-in-roblox-2021-no-download-game-hack PDF link annotation
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/free-spin-and-coin-blogspot-com_GM406889139.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/roblox-booga-booga-cheat-codes_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/free-roblox-passwords_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/how-to-get-free-robux-codes_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/free-back-accessories-roblox_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/free-robux-hacks-no-verification_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/roblox-script-hack_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/get-free-roblox_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/coin-master-free-cards-hack_GM406889139.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/free-minecraft-hacks_GM479516143.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/coin-master-32-hack-apk_GM406889139.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/coin-master-hack-online-no-human-verification_GM406889139.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/get-free-robux-no-human-verification_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/coin-master-free-spins-iphone-2021_GM406889139.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/claimrbx-free-robux_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/free-group-roblox_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/how-to-get-more-robux-for-free_GM431946152.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/coin-master-hack_GM406889139.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/coin-master-hack-programmers_GM406889139.pdfIn PDF document text
    • http://www.vivaahsathi.com/uploaded_files/userfiles/files/roblox-free-play-no-download_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005240.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5240 25140 bytes
SHA-256: fb1e9bfbab25119e6a70f7a366ef392c604d400cb746ba73330d460efdf0c626
font_01_sfnt_off00008b54.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8B54 5596 bytes
SHA-256: 9a13c2580265a78e8a7257496a31ee0055738af7e20a5661c2902efe4bf05ce5
font_02_sfnt_off000097fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x97FC 19328 bytes
SHA-256: c8d74b865f9d5d8cdfa73a2f0a9e4a503264327d5fa49bde77a265ca727c82e2