PDF static analysis report

Static analysis result for SHA-256 9b4b34f5592103e5…

SUSPICIOUS

PDF

35.7 KB Created: 2021-06-30 00:07:21 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 373422a6111d4f5a1307bdfb31af4047 SHA-1: 15db4d4910a88e00f9921e72b0127f7e38785811 SHA-256: 9b4b34f5592103e59aba621b42532c00708f9e442275edff1b535207ddf327c4
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains an embedded URI pointing to a download link for a "hacker" tool for the game Roblox. The document body also contains the same URL, reinforcing the lure. The ML classifier flagged this PDF with high confidence, indicating malicious intent. The primary IOC is the URL which likely leads to a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/descargar-hacker-de-roblox-jailbreak-game-hack PDF link annotation
    • https://flyingchalks.com/ckfinder/userfiles/files/how-to-get-free-spins-in-coin-master_GM406889139.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/free-robux-generator-no-survey_GM431946152.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/how-to-get-free-minecraft-skins_GM479516143.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/ass-hurt-free-roblox_GM431946152.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/how-to-get-hacks-on-minecraft_GM479516143.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/code-free-robux_GM431946152.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/pubg-uc-and-skins-smm-panel_GM1330123889.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/free-spins-coin-master-app_GM406889139.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/coin-master-free-spins-2021-haktuts_GM406889139.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/free-robux-promo-codes-2021_GM431946152.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/minecraft-windows-10-free_GM479516143.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/coin-master-game_GM406889139.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/free-paint-hwo-to-draw-a-realist-eye-roblox_GM431946152.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/coin-master-village-4_GM406889139.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/thebesian-get-roblox-ninja-animation-free-robuxian_GM431946152.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/how-to-setup-a-minecraft-server-for-free_GM479516143.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/free-robux-no-email_GM431946152.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/free-promo-codes-for-robux_GM431946152.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/free-minecraft-bedrock-server-hosting-24-7_GM479516143.pdfIn PDF document text
    • https://flyingchalks.com/ckfinder/userfiles/files/free-spins-and-coins-coin-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003326.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3326 22840 bytes
SHA-256: b7ad9d8dae94ea4cc2f333c368965e1c5e292e7543b3d7e66ed2b438965d0e33
font_01_sfnt_off0000664b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x664B 19108 bytes
SHA-256: a25eeb285b92e2e75c96c43b4d799e2e3e77fe621432237e4852748247240470