PDF static analysis report

Static analysis result for SHA-256 529e12e18da90189…

SUSPICIOUS

PDF

45.7 KB Created: 2021-06-07 08:20:11 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 7f661cf69206ab797f3402fd6b13ea39 SHA-1: aadb5d1bfaf37a2b555d43b6d0d5b77f5c301e0e SHA-256: 529e12e18da90189621040d8f4223d817e8752c7bf545e4775fb8f4e9b633e98
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs and a prominent external URI pointing to game hack resources, suggesting a lure for users to download potentially malicious files. The ML classifier strongly flagged this PDF as malicious, and the presence of embedded URLs indicates an attempt to redirect users to external sites. While no scripts were explicitly extracted, the nature of the content and the ML classification suggest a high likelihood of malicious intent, possibly involving the download of a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9864

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/hack-admin-thr-roblox-2021-game-hack PDF link annotation
    • http://grugliascogiovani.org/images/how-to-get-hacks-on-roblox_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/free-coins-for-planet-master-game_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/roblox-phantom-forces-hack-reddit_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/jailbreak-script_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/how-to-get-free-robux-on-phone_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/how-to-be-a-hacker-in-roblox-jailbreak_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/free-robux-accounts-2021_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/minecraft-server-hacks_GM479516143.pdfIn PDF document text
    • http://grugliascogiovani.org/images/ways-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/coin-master-free-attack-hack_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/roblox-lovenet_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/coin-master-400-spin-link_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/1x1x1x1-roblox-id_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/minecraft-mobile-free_GM479516143.pdfIn PDF document text
    • http://grugliascogiovani.org/images/coin-master-cheats_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/how-to-get-free-robux-without-human-verification_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/coin-master-daily-free-spins-link_GM406889139.pdfIn PDF document text
    • http://grugliascogiovani.org/images/is-it-possible-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://grugliascogiovani.org/images/free-minecraft-texture-packs_GM479516143.pdfIn PDF document text
    • http://grugliascogiovani.org/images/coin-master-links-free-spins_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00004fb4.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4FB4 26920 bytes
SHA-256: 55e131e0a731eade678a130fb85ad153261403feea5208738048fa78f11a143d
font_01_sfnt_off00008d13.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8D13 19304 bytes
SHA-256: 05fbc9665384ed95667a7323806611986699e01fb122c0439ee8d93be82fb997