PDF static analysis report

Static analysis result for SHA-256 a87c222ba53296a5…

SUSPICIOUS

PDF

34.9 KB Created: 2021-07-20 23:42:35 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 2519a579e752d2c5cf383e3b108e5140 SHA-1: b7f048e31589e8aa8d4e82b0c5b533e8409761a4 SHA-256: a87c222ba53296a5cb37629fcc89b874d4f0fe16609a1f062305f9159fd24f8f
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains lures for free Robux and includes a prominent external URI pointing to a suspicious domain. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the presence of embedded URLs and the document's content suggest it's designed to trick users into visiting malicious sites, likely for scams or to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9962

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/how-to-get-free-robux-with-no-verification-game-hack PDF link annotation
    • https://perpustakaan.stiq-amuntai.ac.id/repository/coin-master-free-spins-link-blogspot-2021_GM406889139.pdfIn PDF document text
    • https://perpustakaan.stiq-amuntai.ac.id/repository/how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://perpustakaan.stiq-amuntai.ac.id/repository/claim-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • https://perpustakaan.stiq-amuntai.ac.id/repository/how-to-get-minecraft-for-free-on-phone_GM479516143.pdfIn PDF document text
    • https://perpustakaan.stiq-amuntai.ac.id/repository/free-tiktok-followers-without-verification_GM835599320.pdfIn PDF document text
    • https://perpustakaan.stiq-amuntai.ac.id/repository/how-can-i-get-free-spins-on-coin-master_GM406889139.pdfIn PDF document text
    • https://perpustakaan.stiq-amuntai.ac.id/repository/how-to-get-free-robux-2021-no-human-verification_GM431946152.pdfIn PDF document text
    • https://perpustakaan.stiq-amuntai.ac.id/repository/minecraft-mods-download-free_GM479516143.pdfIn PDF document text
    • https://perpustakaan.stiq-amuntai.ac.id/repository/mobihack-net-roblox-hack_GM431946152.pdfIn PDF document text
    • https://perpustakaan.stiq-amuntai.ac.id/repository/how-to-get-minecraft-for-free-on-ipad_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f4e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F4E 23140 bytes
SHA-256: 87888ff827c67a8ae4633daa92adc7b6fd35bd54b36e31889e7dcfc2fdc13999
font_01_sfnt_off00006340.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6340 19312 bytes
SHA-256: 1dcd8f472644bbfbea9938e32028314b4c3da663e3cbf8c509e8fe1bea5d503c