PDF static analysis report

Static analysis result for SHA-256 a5404e530cf013de…

SUSPICIOUS

PDF

35.0 KB Created: 2021-06-19 19:38:34 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 12668e13017d997dcaaa21856f2bfa53 SHA-1: 11a4c2cc5844b17f9566399c84fac6c1770ae1fb SHA-256: a5404e530cf013de7012a407fee74946ba3d22f809638e5a0e52442240b1ded3
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and a document body that explicitly advertises free in-game items and hacks for popular games like Roblox. The primary external URI, http://netcdn.co/app/431946152/free-roblox-merch-game-hack, is likely a landing page for downloading a malicious payload. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it is designed to trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-roblox-merch-game-hack PDF link annotation
    • https://lib.bunghatta.ac.id/app/repository/roblox-robux-hack-download-free-2021_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/roblox-4game-club-hack_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/coin-master-free-spins-and-free-coins_GM406889139.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/how-to-make-a-server-in-minecraft-java-for-free_GM479516143.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/how-to-hack-someones-roblox-account-with-google-chrome_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/roblox-executor-free-download_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/roblox-free-asset_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/codes-for-roblox-hack_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/roblox-blox-no-hero-academia-script-hack_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/free-robux-obby-2021_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/free-robux-generator-100-working_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/free-robux-bc-admin-leaked_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/vheachle-simulator-cheats-roblox_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/broly-simulator-cheats-roblox_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/coin-master-free-spins-link-hack_GM406889139.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/hack-event-on-roblox_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/how-to-get-free-robux-2021-on-ios_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/mining-simulator-hack-roblox-anfr_GM431946152.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/minecraft-xbox-one-code-free_GM479516143.pdfIn PDF document text
    • https://lib.bunghatta.ac.id/app/repository/free-robux-no-human-verification-or-survey_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000332f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x332F 22140 bytes
SHA-256: 7c5224c6e8babda7e25e24c9c5a4eb412820c9b2b4b4c544b6d2a307f0a0543b
font_01_sfnt_off0000643f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x643F 19012 bytes
SHA-256: ccff3da7ef2ac9c338f4634d1f4b19965f4167808188b8d15ac4e76ac7b1cf0f