PDF static analysis report

Static analysis result for SHA-256 97fd1be36b9f9d54…

SUSPICIOUS

PDF

32.9 KB Created: 2021-06-25 03:41:16 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 37342040edf4d6e952ab2d3400f2d952 SHA-1: f0574072817e03a61b5d7c96450cdecc1eb585f3 SHA-256: 97fd1be36b9f9d54fc912a0fcffee9eb9ce0d0533a3c55c02755a37f84424818
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and text promoting 'free Robux' and game hacks, aiming to trick users into downloading malicious content. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs further supports a suspicious nature. While no scripts were explicitly extracted, the document's structure and content suggest it acts as a lure for a second-stage download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9824

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-robux-sirws-game-hack PDF link annotation
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/free-spin-coin-master-hack-2021_GM406889139.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/free-pet-snacks-coin-master_GM406889139.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/robux-hack-no-verification_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/minecraft-free-download-chromebook_GM479516143.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/obby-gives-you-10k-free-robux_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/piano-player-roblox-hack_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/roblox-hack-flz_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/easy-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/login-robux_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/coin-master-hack-tuts_GM406889139.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/coin-master-hack-facebook_GM406889139.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/minecraft-handbook_GM479516143.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/daily-free-spins-coin-master-2021_GM406889139.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/robuxy-com-free-robux_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/roblox-pics_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/how-to-earn-robux-by-playing-games_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/huskybuckscom-free-robux_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/roblox-earn-robux_GM431946152.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/coin-master-links-free-spins_GM406889139.pdfIn PDF document text
    • https://elearning.manurululum.web.id/__statics/gudangsoal/files/que-pasa-si-mientes-al-hacker-de-roblox_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002a86.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A86 22244 bytes
SHA-256: 52274cae3af6f6b6afd964ea716f74884d03eebf9bdea5d9628776d9cc5d50d9
font_01_sfnt_off00005be8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5BE8 19000 bytes
SHA-256: f771590fce81838bcf923070994ce85e09dabd261813600fe3a59dfc3055da40