PDF static analysis report

Static analysis result for SHA-256 50fa1f2bbffadc76…

SUSPICIOUS

PDF

44.4 KB Created: 2021-05-10 23:35:19 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 8c4e7242fa642246f2afc2cf7b14fa1b SHA-1: c59d225012e2b22fcc9e112931f30c2d06adb7af SHA-256: 50fa1f2bbffadc76e78ab46cb52dcad71fd122a40b0dbb8af40f9ae64db25887
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains lures for free game items, such as Minecraft and Robux, and includes an external URI pointing to a download page. The ML classifier also flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of external links and the nature of the lures suggest an attempt to trick users into downloading potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9632

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-get-minecraft-for-free-on-mac-game-hack PDF link annotation
    • http://grugliascogiovani.org/images/roblox-survey-for-robux_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/minecraft-pe-apk-download_GM479516143.pdfIn PDF document text
    • http://grugliascogiovani.org/images/coin-master-free-spin-software_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/how-to-get-free-robux-on-roblox_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/get-me-free-robux_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/free-robux-redeem-codes-2021_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/www-robux-redeem_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/free-promo-codes-for-roblox-2021_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/get-free-robux-info_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/scary-larry-roblox_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/coin-master-free-spins-link_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/games-on-roblox-that-give-you-free-robux_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/orewards-com-free-robux_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/free-spins-coin-master-links-blogspot_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/how-to-free-robux_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/lastrick-com-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/get-free-robux-generator_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/download-coin-master-free-spins-link-2021-today_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/robux-free-com_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/my-minecraft-account-was-hacked_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004b09.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B09 23956 bytes
SHA-256: 77c3ca6050e2649170d141fd31cf66955fcee7686ddb019b1ff03e659bd58a3e
font_01_sfnt_off000081c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x81C2 3092 bytes
SHA-256: 3811f2fb1880daf4953efcc9c7427d9b438bced237490b00be4a6ec3ecea79e0
font_02_sfnt_off00008c6d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8C6D 17872 bytes
SHA-256: b6208a51cd80fab2e9318da305006c0e70657a6f065b62408d4ccaae69eb5aa0