PDF static analysis report

Static analysis result for SHA-256 990050ef7cea3583…

SUSPICIOUS

PDF

59.0 KB Created: 2021-04-05 21:07:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 08867cc5493557f27b1b82ed7f964849 SHA-1: 5d19ad10b9e84edd7687132a963a3e12c1d3a391 SHA-256: 990050ef7cea3583a21aa1b87d6c468f6e248af2aacfef98bda5e06519eb337e
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as suspicious by an ML classifier. The file presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7795

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/geld-cheat-roblox PDF link annotation
    • http://citycare.pt/images/roblox-meepcity-hacked.pdfIn PDF document text
    • http://www.nielsen2u.dk/images/roblox-hack-999999-robux-2021.pdfIn PDF document text
    • http://zarinnameh.ir/images/free-robux-group-join.pdfIn PDF document text
    • https://photographygroupofbunbury.com/images/roblox-clone-tycoon-2-codes-hack-exploit.pdfIn PDF document text
    • http://bkd1.balikpapan.go.id/images/free-trading-roblox.pdfIn PDF document text
    • http://aistplus.ru/images/cheat-engine-with-roblox.pdfIn PDF document text
    • https://estalagemmonteverde.com.br/images/horizon-money-hack-may-2021-roblox.pdfIn PDF document text
    • https://aniruddhasadm.com/images/free-adopt-me-flying-potion-roblox.pdfIn PDF document text
    • https://www.seeingindependence.org/images/how-to-put-in-hacking-scripts-roblox.pdfIn PDF document text
    • https://hassel-event.de/images/how-to-roblox-noclip-hack-2021.pdfIn PDF document text
    • https://www.beaufortcollege.ie/images/free-roblox-codd.pdfIn PDF document text
    • http://teksomak.com/images/robux-hack-descagar.pdfIn PDF document text
    • https://billiekawende.com/images/roblox-zombie-rush-free-online.pdfIn PDF document text
    • http://lv-siegen.de/images/free-redeem-code-roblox-2021.pdfIn PDF document text
    • http://www.sanjosedeminas.gob.ec/images/larva-hack-roblox.pdfIn PDF document text
    • http://prohsa.com/images/how-to-hack-roblox-free-robux-no-survey.pdfIn PDF document text
    • http://kermas.eu/images/games-that-can-give-you-free-robux.pdfIn PDF document text
    • http://nosocomium.rv.ua/images/reddit-free-robux.pdfIn PDF document text
    • http://www.mikramarine.gr/images/codes-for-free-robux-2021-that-nowon-use.pdfIn PDF document text
    • http://schottlandfieber.de/images/www-surveytool-com-free-robux.pdfIn PDF document text
    • https://www.cpnf.ch/images/how-to-hack-your-friends-roblox-account-2021.pdfIn PDF document text
    • http://www.bripi.pl/images/how-to-get-free-robux-on-roblox-studio.pdfIn PDF document text
    • http://echosvoix.ch/images/robuxian-hack-to-steal-robux.pdfIn PDF document text
    • http://famoirs.co.uk/images/roblox-videos-of-how-to-make-free-robux.pdfIn PDF document text
    • http://fairwaygolftravel.co.uk/images/wear-trash-gang-merch-on-roblox-for-free.pdfIn PDF document text
    • https://beejekorf.nl/images/free-roblox-sqript-injecter.pdfIn PDF document text
    • http://truebibleteaching.com/images/dll-hack-for-roblox-assasin.pdfIn PDF document text
    • https://www.linzgau-kjh.de/images/hacks-for-roblox-lumber-tycoon.pdfIn PDF document text
    • http://babbibooth.com/images/free-copy-hack-roblox.pdfIn PDF document text
    • http://rumler.pl/images/sword-fighting-hack-roblox.pdfIn PDF document text
    • http://www.e-lysis.com/images/how-to-wall-hack-in-jailbreak-roblox.pdfIn PDF document text
    • http://subarulegacy.com/images/how-to-deal-with-hacker-in-roblox.pdfIn PDF document text
    • http://www.rezbb.sk/images/how-to-hack-strucid-roblox.pdfIn PDF document text
    • http://legs11.co.za/images/roblox-free-backpack.pdfIn PDF document text
    • http://reisebild.eu/images/how-to-get-free-faces-on-roblox-easy.pdfIn PDF document text
    • https://beejekorf.nl/images/bloxburg-free-robux.pdfIn PDF document text
    • http://nosocomium.rv.ua/images/free-robux-with-fake-account.pdfIn PDF document text
    • http://poltekkeskhjogja.ac.id/images/free-roblox-clothes-and-hair.pdfIn PDF document text
    • http://cadcam.no/images/free-roblox-2021-agreeing.pdfIn PDF document text
    • http://dialine.cz/images/free-flow-roblox.pdfIn PDF document text
    • http://garrisonjazz.com/images/free-roblox-gift-cards-discord.pdfIn PDF document text
    • http://www.torvet11.dk/images/free-robux-no-generator-no-survey.pdfIn PDF document text
    • http://nosocomium.rv.ua/images/eazy-was-how-to-hack-into-a-roblox-account.pdfIn PDF document text
    • http://www.imperialaccountingfl.com/images/fly-hack-roblox-no-virus.pdfIn PDF document text
    • http://dottgagliardi.com/images/how-to-get-robux-for-free-2021-pc.pdfIn PDF document text
    • http://julo-it.net/images/roblox-free-robux-plugin.pdfIn PDF document text
    • http://www.lionel-seppoloni.fr/images/cheat-argent-sur-roblox-vehicle-simulator.pdfIn PDF document text
    • http://a1scan3d.com/images/400-million-robux-free.pdfIn PDF document text
    • http://www.rezbb.sk/images/roblox-prison-life-before-it-was-hacked.pdfIn PDF document text
    +18 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00008187.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8187 30960 bytes
SHA-256: f36cbf657aefe88e52e430145d493539746da3e53ea17490dd76109cf9db0d92
font_01_sfnt_off0000c567.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC567 17532 bytes
SHA-256: 40b6cc4580651b16dd21627d2c56a2284c97933ea522d12a81a1be554eab85d3