PDF static analysis report

Static analysis result for SHA-256 ba4a4244d9dbb679…

SUSPICIOUS

PDF

35.0 KB Created: 2021-07-02 05:37:20 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: d55697d690e765d4f696853f13baf73b SHA-1: 044d41e8fa9547ad9d1d2a47a1e572c26512b452 SHA-256: ba4a4244d9dbb679b9721d4c0eccd55bfc26c1acab047b70adc471a64e228a76
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a heuristic firing for an external URI, all related to game hacks and cheats for Roblox and other games. The ML classifier strongly flagged this PDF as malicious. The document body text, though partially corrupted, includes phrases like "free shaggy roblox game hack" and links to download-related PDFs, suggesting a lure to download a second-stage payload. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-shaggy-roblox-game-hack PDF link annotation
    • http://hometech.tw/ckfinder/userfiles/files/how-to-use-cheat-engine-to-hack-roblox_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/coin-master-free-coins-and-spins-2021_GM406889139.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/hackear-roblox-con-lucky-patcher_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/free-roblox-passwords-2021_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/robux-generator-no-human-verification-or-survey_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/apx-roblox-hack_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/free-download-roblox-apk_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/free-robux-no-human-verification-generator_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/free-robux-mod-apk_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/roblox-hack-skript-ve_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/link-for-free-spins-on-coin-master_GM406889139.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/robux-hack-robuxmaniac_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/coin-master-spin-link-free-download_GM406889139.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/how-to-hack-peoples-roblox-accounts_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/daily-free-spins-coin-master-heaven_GM406889139.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/roblox-girl_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/cheat-engine-roblox-hack-download-free_GM431946152.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/how-to-make-a-modded-minecraft-server-for-free_GM479516143.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/minecraft-bedrock-hacks_GM479516143.pdfIn PDF document text
    • http://hometech.tw/ckfinder/userfiles/files/can-you-trust-rbx-free-robux_GM431946152.pdfIn PDF document text
    • https://www.roblox.com/my/tasksIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031e9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x31E9 22484 bytes
SHA-256: 9368afdf9328a50cd46d140957f2fcf5a3cce34d6a7094163f38016033ef7b89
font_01_sfnt_off00006418.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6418 18996 bytes
SHA-256: eacf56ec645f1e9d1b5b651267fc7c81d405c4b5243d26bbaaa52cc29d4804f8