PDF static analysis report

Static analysis result for SHA-256 40eca0a13b87fe6e…

SUSPICIOUS

PDF

33.5 KB Created: 2021-07-20 04:49:41 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 4ee1a96d0449595d8fba33d5b69ed2be SHA-1: a3431c40757007bcedc6f3129a14f4f5db7a6003 SHA-256: 40eca0a13b87fe6e0c41b31e32d8af5b857e7813276234da3148806917d69b0f
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains multiple embedded URLs and a prominent call-to-action for a 'Free Robux Hack', strongly suggesting a phishing or scam attempt. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were explicitly extracted, the presence of external links and the lure of free in-game currency indicate a likely attempt to redirect users to a malicious site for credential harvesting or further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/free-robux-hack-game-hack PDF link annotation
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/free-tiktok-likes-no-human-verification-or-download_GM835599320.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-to-get-tiktok-famous-free_GM835599320.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/rblx-city-free-robux_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/coin-master-free-spins-link-today-facebook_GM406889139.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-to-hack-someones-account-on-roblox_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/minecraft-for-ipad-free_GM479516143.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/microsoft-free-robux_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/free-robux-card-codes_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/minecraft-bedrock-free_GM479516143.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/roblox-fly-hack_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002cc8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2CC8 22792 bytes
SHA-256: 57868f51171f679962538f32611685b03827c80271acf188e2135c37d1a8340b
font_01_sfnt_off00005fe0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5FE0 18600 bytes
SHA-256: 396239e8b43e5cb835d10c8894d5657298dbd9c370cdf87998bbc4c73774b087