PDF static analysis report

Static analysis result for SHA-256 9d359c240970e90d…

SUSPICIOUS

PDF

35.0 KB Created: 2021-06-27 13:21:55 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 5ca313870e1825a34d3dca26f88a1432 SHA-1: 4dbf57e21b4ab855e86a91d15585e26cdc5a9fc8 SHA-256: 9d359c240970e90deb78a2299b35949567d06b9f6847aacc089830a400740209
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains lures for free Robux and game hacks, directing users to external URLs for downloads. The ML classifier strongly flagged this PDF as malicious, and embedded URLs suggest a phishing or malware distribution attempt. Although no scripts were explicitly extracted, the presence of external links and the nature of the lures indicate a high likelihood of malicious intent, possibly involving a drive-by download or a phishing page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-robux-games-in-roblox-100-real-game-hack PDF link annotation
    • https://traveljogja.net/ckfinder/userfiles/files/roblox-free-admin-hack-2021_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/free-robux-2021-no-verification_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/roblox-noclip-cheat-engine-64_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/coin-master-hack-spins-apk_GM406889139.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/change-roblox-username-free_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/how-to-make-your-t-shirt-free-on-roblox_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/dl-roblox-hack-scripts-download_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/coin-master-cards-for-free_GM406889139.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/descargar-hack-coin-master_GM406889139.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/coin-master-daily-free-spins-and-coins_GM406889139.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/free-robux-no-serveys_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/free-robux-codes-2021_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/roblox-hacks-jail-breal_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/minecraft-server-free-trial_GM479516143.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/free-robux-com-roblox_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/roblox-codes-rob-the-bank-hack_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/how-do-you-get-free-robux-without-paying_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/coin-master-spins-hack-2021_GM406889139.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/free-robux-2021-no-human-verification_GM431946152.pdfIn PDF document text
    • https://traveljogja.net/ckfinder/userfiles/files/coin-master-hack-tool-v1-9-pc_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003131.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3131 22352 bytes
SHA-256: 3dcffee66e2d458965e1b64504bc602ab72f9c08d42c25df0f47b1a3bd733be6
font_01_sfnt_off000062ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x62FF 19328 bytes
SHA-256: 934db9e7455b87a7685bd3c3d815b14bc009d31d10feed9391c299e84400f8bd