PDF static analysis report

Static analysis result for SHA-256 7c80f8e64f348262…

SUSPICIOUS

PDF

45.5 KB Created: 2021-05-19 15:43:59 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: c4cebf626f5ec431533407e994fd3872 SHA-1: 068649adb837ee5b77ae51e5a9ee30c878b64e1a SHA-256: 7c80f8e64f348262c92ddb1ddfdd2d917a40378a261e7f0c6717c102238c65e9
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs pointing to websites that appear to offer in-game currency or rewards, such as 'Robux'. The ML classifier also flagged this PDF as malicious. The presence of these links suggests the document is designed to trick users into visiting potentially malicious sites, likely for phishing or scam purposes. No scripts were extracted, but the embedded URLs are the primary indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9507

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/oprewards-robux-game-hack PDF link annotation
    • http://io24.com.ar/images/promo-code-free-robux_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/free-free-robux_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/pokemon-go-free-quest_GM1094591345.pdfIn PDF document text
    • http://io24.com.ar/images/daily-free-spin-coin-master-link_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/how-to-get-a-free-dominus-in-roblox_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/free-robux-no-human-verification-and-no-survey_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/roblox-skins-boy-free_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/freespinandcoinblogspotcom-2021-11-coinmasterfreespinandcoinlinkshtml_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/grabpoints-robux_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/minecraft-pe-free-apk_GM479516143.pdfIn PDF document text
    • http://io24.com.ar/images/how-to-get-free-robux-by-playing-games_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/how-to-get-free-robux-on-roblox-2021_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/earn-robux-today-earn-robux-today_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/coin-master-code-for-free-spins_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/coin-game_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/www-roblox-com-free-robux_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/roblox-bloxburg-free-money_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/coin-master-free-box_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/coin-master-free-spins-link-whatsapp-group_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/how-to-get-free-robux-codes-2021_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000048b7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x48B7 25800 bytes
SHA-256: 59b86c824320faf6b54af733fa6024f8a130d778d58388ebbb2e2a99bfd82cc0
font_01_sfnt_off00008489.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8489 2836 bytes
SHA-256: fd98c8f6e7c2e74bbd5822409159a93ac5c94da083ae4c2eb269d4284375f9e8
font_02_sfnt_off00008e2e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8E2E 18592 bytes
SHA-256: 7d6f50a950363cb67ce8ae8db88bc038f2e04ece5b1cd119157d21c4c1c9bd15