PDF static analysis report

Static analysis result for SHA-256 afaee1491aab4cb5…

SUSPICIOUS

PDF

46.1 KB Created: 2021-06-09 15:32:15 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: b85079bd8b0c996ae787cad96f1d6628 SHA-1: 0b7a37de24ed3863ce379ee9ccbd12f21fce7d72 SHA-256: afaee1491aab4cb59db1bb096f1e1dbe5c1348c5e1d49ff56e3d0329e605c555
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and a visual call-to-action, strongly suggesting a phishing or social engineering attempt to trick users into downloading a payload. The ML classifier also flagged this PDF as malicious. The primary lure is the promise of free Robux, a popular game currency, indicating a likely attempt to exploit interest in online gaming. While no scripts were explicitly extracted, the presence of external URIs and the ML classification suggest the document is designed to facilitate the download of a second-stage malicious file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9797

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/gift-free-robux-game-hack PDF link annotation
    • http://apd-ukraine.de/images/actual-free-robux_GM431946152.pdfIn PDF document text
    • http://apd-ukraine.de/images/what-games-on-roblox-give-you-free-robux_GM431946152.pdfIn PDF document text
    • http://apd-ukraine.de/images/coin-master-hack-2021-download_GM406889139.pdfIn PDF document text
    • http://apd-ukraine.de/images/free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://apd-ukraine.de/images/free-robux-without-verification-or-survey_GM431946152.pdfIn PDF document text
    • http://apd-ukraine.de/images/link-for-free-spins-on-coin-master_GM406889139.pdfIn PDF document text
    • http://apd-ukraine.de/images/free-spins-for-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://apd-ukraine.de/images/free-robux-without-human-verification-real_GM431946152.pdfIn PDF document text
    • http://apd-ukraine.de/images/coin-master-free-spins-link-today-ios_GM406889139.pdfIn PDF document text
    • http://apd-ukraine.de/images/free-robux-cards_GM431946152.pdfIn PDF document text
    • http://apd-ukraine.de/images/tiktok-free-steam-games_GM835599320.pdfIn PDF document text
    • http://apd-ukraine.de/images/free-tiktok-followers-and-likes_GM835599320.pdfIn PDF document text
    • http://apd-ukraine.de/images/autoclicker-free-for-roblox_GM431946152.pdfIn PDF document text
    • http://apd-ukraine.de/images/roblox-mm2-hacks_GM431946152.pdfIn PDF document text
    • http://apd-ukraine.de/images/get-free-robux-2021_GM431946152.pdfIn PDF document text
    • http://apd-ukraine.de/images/coin-master-hack-2021_GM406889139.pdfIn PDF document text
    • http://apd-ukraine.de/images/are-minecraft-realms-free_GM479516143.pdfIn PDF document text
    • http://apd-ukraine.de/images/how-to-find-coin-master-free-spin-link_GM406889139.pdfIn PDF document text
    • http://apd-ukraine.de/images/coin-master-daily-free-spins-blogspot_GM406889139.pdfIn PDF document text
    • http://apd-ukraine.de/images/free-roblox-avatar_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00004e40.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4E40 24916 bytes
SHA-256: 987aaaadc3c0bd7b65822c0e6c76726bda7e7dc745ef50ef98136851654f6b1a
font_01_sfnt_off00008776.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8776 2880 bytes
SHA-256: 10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132
font_02_sfnt_off00009160.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9160 18236 bytes
SHA-256: 27bbee55b279df4e2a3f8433084680ad04072d10a034c4b740534e887bed6c19