PDF static analysis report

Static analysis result for SHA-256 6efaa4aa888fc8d6…

SUSPICIOUS

PDF

48.4 KB Created: 2021-06-03 06:25:08 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: c3c462c14aca88e6aa578c9bb8ac6c3a SHA-1: 96a3c30df27e49f0568db2868b4766c2b090849d SHA-256: 6efaa4aa888fc8d624e7d4f68abfb1360034b10404de749dff95323dd3232e22
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a lure for 'Free Robux Generator' and an embedded URL pointing to a suspicious domain. The ML classifier also flagged the PDF as malicious. While no scripts were directly extracted, the presence of an external URI and the overall context suggest an attempt to trick the user into downloading a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/431946152/free-robux-generator-without-human-verification-game-hack PDF link annotation
    • http://www.elibrary.perludem.org/repository/how-to-get-robux-for-free-2021_GM431946152.pdfIn PDF document text
    • http://www.elibrary.perludem.org/repository/pubg-uc-discount_GM1330123889.pdfIn PDF document text
    • http://www.elibrary.perludem.org/repository/coin-master-links-free-spins_GM406889139.pdfIn PDF document text
    • http://elibrary.perludem.org/repository/free-coin-master-links_GM406889139.pdfIn PDF document text
    • http://elibrary.perludem.org//repository/real-coin-master-hack-2021_GM406889139.pdfIn PDF document text
    • http://elibrary.perludem.org//repository/daily-coin-master_GM406889139.pdfIn PDF document text
    • http://elibrary.perludem.org/repository/games-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://www.elibrary.perludem.org/repository/coin-master-no-download-app-but-play-for-free_GM406889139.pdfIn PDF document text
    • http://www.elibrary.perludem.org/repository/free-minecraft-addons_GM479516143.pdfIn PDF document text
    • http://elibrary.perludem.org/repository/hack-minecraft_GM479516143.pdfIn PDF document text
    • http://elibrary.perludem.org//repository/how-to-get-free-spins-in-coin-master_GM406889139.pdfIn PDF document text
    • http://elibrary.perludem.org/repository/free-robux-scams_GM431946152.pdfIn PDF document text
    • http://www.elibrary.perludem.org/repository/pokemon-go-free-meltan-box_GM1094591345.pdfIn PDF document text
    • http://www.elibrary.perludem.org/repository/getrobux-now_GM431946152.pdfIn PDF document text
    • http://elibrary.perludem.org//repository/hacks-for-coin-master-game_GM406889139.pdfIn PDF document text
    • http://www.elibrary.perludem.org/repository/free-spins-for-coin-master_GM406889139.pdfIn PDF document text
    • http://elibrary.perludem.org//repository/pokemon-go-free-poke-coin_GM1094591345.pdfIn PDF document text
    • http://www.elibrary.perludem.org/repository/free-spins-coin-master-unlimited_GM406889139.pdfIn PDF document text
    • http://elibrary.perludem.org/repository/free-robux-offers_GM431946152.pdfIn PDF document text
    • http://www.elibrary.perludem.org/repository/free-robux-survey_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000050ad.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x50AD 26776 bytes
SHA-256: 56ea1faf9c63d4d5bdcd3dbe76560271d781c2c53b69bc60556e065f872e8234
font_01_sfnt_off00008dd9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8DD9 2880 bytes
SHA-256: b053084cafd01c649462d87667ba56c569d6480ce60e7d20ae57ef6124cf178e
font_02_sfnt_off000097c4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x97C4 19224 bytes
SHA-256: 40a7d61fbe05f3c06cc4b4f213318e5db23b17d00e7c534d307fd6e415ac6071