PDF static analysis report

Static analysis result for SHA-256 44ee38ab23ff1bbc…

SUSPICIOUS

PDF

33.9 KB Created: 2021-06-19 15:55:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 2afb867305b26d097550242fe8b0554a SHA-1: faab256452b813eaf6dd236e966df0c7e0466fdf SHA-256: 44ee38ab23ff1bbcc5c6e34d31b74da15191e3a3d6788fef4db301cef3c26840
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous URLs promoting game cheats and hacks, including a primary URL for a 'Roblox Hack Tool'. The ML classifier strongly flagged this PDF as malicious, and the presence of embedded URIs suggests an attempt to redirect users to download potentially harmful files. No scripts were extracted, but the overall pattern indicates a lure for malicious downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-hack-tool-variables-search-game-hack PDF link annotation
    • http://stikespantirapih.ac.id/home/repository/minecraft-hack-client-18-9_GM479516143.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/50-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/how-to-earn-robux_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/robux-generator-no-human-verification_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/roblox-robux-hack-generator-2021_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/roblox-promo-codes-free-robux_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/minecraft-free-ios_GM479516143.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/adfly-free-robux_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/minecraft-java-edition-code-free_GM479516143.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/roblox-hack-app_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/free-robux-generator-com-roblox-hack_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/coin-master-free-spins-hack_GM406889139.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/coin-master-free-spins-daily-link-game-mod_GM406889139.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/free-robux-3-steps_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/spins-gratis-coin-master-hoy_GM406889139.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/minecraft-free-download-ipad_GM479516143.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/how-to-get-free-robux-without-having-to-download-anything_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/roblox-catalog-free-clothes_GM431946152.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/pubg-uc-exchange_GM1330123889.pdfIn PDF document text
    • http://stikespantirapih.ac.id/home/repository/coin-master-unlimited-spin-apk-free-download_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d3e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D3E 22520 bytes
SHA-256: f9caa4d9efa5d7ad57472194f99aaae27a7c0663ac602fc481a6a08be5d9163d
font_01_sfnt_off00005f8e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5F8E 19076 bytes
SHA-256: 908935052588a7b0a444d33765c8abd7d79d2a0941c1da43d8e92780f9ab5b87