PDF static analysis report

Static analysis result for SHA-256 5f442b826cd5104f…

SUSPICIOUS

PDF

40.7 KB Created: 2021-04-28 19:17:12 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 84e1652c88b7a4c884eb940e2abee40e SHA-1: 7f5f7d2d67244243496d6cdb6a9499978ca53e44 SHA-256: 5f442b826cd5104f906aef2e1ed6a89a304714ba695fc14e7f7040b6460d69eb
50 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains lures related to "Roblox Money Hack" and "Cheat Engine", directing users to download a file from a suspicious URL. The ML classifier strongly flagged this PDF as malicious, and the presence of embedded URLs further supports a malicious intent to trick users into downloading potentially harmful content. No scripts were extracted, but the overall pattern suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9926

Heuristics 4

  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-money-hack-cheat-engine-6.3-game-hack PDF link annotation
    • https://www.bolsoshf.com/ckfinder/userfiles/files/roblox-walk-through-walls-cheat-engine-jailbreak.pdfIn PDF document text
    • https://www.bolsoshf.com/ckfinder/userfiles/files/how-to-hack-other-roblox-accounts.pdfIn PDF document text
    • https://www.bolsoshf.com/ckfinder/userfiles/files/roblox-noclip-no-cheat-engine.pdfIn PDF document text
    • https://www.bolsoshf.com/ckfinder/userfiles/files/hack-roblox-reddit.pdfIn PDF document text
    • https://www.bolsoshf.com/ckfinder/userfiles/files/boku-no-roblox-remastered-hack-chose-quirks.pdfIn PDF document text
    • https://www.bolsoshf.com/ckfinder/userfiles/files/como-hackear-conta-de-roblox.pdfIn PDF document text
    • https://www.bolsoshf.com/ckfinder/userfiles/files/roblox-2021-april-fools-hack.pdfIn PDF document text
    • https://www.bolsoshf.com/ckfinder/userfiles/files/how-to-make-a-free-robux-hack.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00003f98.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3F98 24992 bytes
SHA-256: 91a1b2211b9081dc8fe1c4bca6da5540c1c2044385e4405b46a8ad033a7423c5
font_01_sfnt_off0000797f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x797F 19644 bytes
SHA-256: 35d48d0a257b0ebac8c300a02d2fea0ba3ed3ca7ebf018733484b834adc6f5e0