PDF static analysis report

Static analysis result for SHA-256 b948588217419434…

SUSPICIOUS

PDF

41.5 KB Created: 2021-04-28 13:47:05 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 111b7d17a19e9cc3d3d41ec81ebf6d95 SHA-1: 40b62013620415d2359f3cc2656842d78cb1fda3 SHA-256: b94858821741943477d707a7e83a08311a05ec9f4ffc7856c9e6e24cd00a5265
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and a visual download button lure, strongly suggesting an attempt to trick the user into downloading a payload. The primary URL points to a file advertised as a Roblox speed hack, indicating a social engineering tactic. While no scripts were explicitly extracted, the presence of embedded URIs and the ML classifier's high confidence score suggest malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-prisoner-life-speed-hack-game-hack PDF link annotation
    • http://www.saburai.ac.id/elibrary//repository/wall-hack-phantom-forces-roblox.pdfIn PDF document text
    • http://www.saburai.ac.id/elibrary//repository/grayphiny-free-robux.pdfIn PDF document text
    • http://www.saburai.ac.id/elibrary//repository/roblox-speed-race-hacks-download.pdfIn PDF document text
    • http://www.saburai.ac.id/elibrary//repository/how-to-hack-someones-roblox-account-2021.pdfIn PDF document text
    • http://www.saburai.ac.id/elibrary//repository/how-to-hack-on-roblox-on-skywars.pdfIn PDF document text
    • http://www.saburai.ac.id/elibrary//repository/free-admin-commands-roblox-2021.pdfIn PDF document text
    • http://www.saburai.ac.id/elibrary//repository/how-to-get-free-robux-no-hack-no-download.pdfIn PDF document text
    • http://www.saburai.ac.id/elibrary//repository/exploring-free-rs-roblox.pdfIn PDF document text
    • http://www.saburai.ac.id/elibrary//repository/roblox-login-free-account.pdfIn PDF document text
    • http://www.saburai.ac.id/elibrary//repository/free-roblox-script-corrector.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000040df.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x40DF 27692 bytes
SHA-256: c041cba1cbaf984c442f64998abca4297d4363bb96f954386fd5767c8797069d
font_01_sfnt_off00007f16.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7F16 18808 bytes
SHA-256: 7d7aa726ad5026db97b01eff3db60c2034a737470ebec529f4d3ff0b71436d4e