PDF static analysis report

Static analysis result for SHA-256 bb0668a241c25f43…

SUSPICIOUS

PDF

58.5 KB Created: 2021-04-05 22:11:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-22
MD5: f0bb7d249b65bdf194de22ebe47fde06 SHA-1: 3c3f5eb10e282592239faf652e758cbb46b1dee9 SHA-256: bb0668a241c25f434e1cc06c8614ccf32c05ca737ee824a2968f9b2759699716
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged as suspicious by an ML classifier. The file presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7795

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/karinsupersweet-offers-200-000-robux-for-free PDF link annotation
    • http://halitbayramoglu.com.tr/images/roblox-hack-tool-free-download-no-survey-no-password.pdfIn PDF document text
    • http://iacovoulaw.com/images/nice-roblox-games-to-hack.pdfIn PDF document text
    • http://www.drent.se/images/robux-hacks-2021.pdfIn PDF document text
    • http://properteez.com/images/how-get-free-robux-glitch.pdfIn PDF document text
    • http://santeh-40.ru/images/roblox-promo-code-hacker.pdfIn PDF document text
    • https://www.stayon.no/images/all-roblox-gamepass-free.pdfIn PDF document text
    • http://www.exikom.com.ua/images/the-roblox-free-bloxburg.pdfIn PDF document text
    • http://columbuscigar.com/images/how-to-hack-your-account-back-on-roblox.pdfIn PDF document text
    • http://www.mikramarine.gr/images/roblox-lumber-tycoon-2-how-to-get-free-money.pdfIn PDF document text
    • https://www.eglihotel.gr/images/roblox-mod-robux-free.pdfIn PDF document text
    • http://www.arredifunebri.com/images/how-do-you-get-free-robux-codes.pdfIn PDF document text
    • https://zapoj-kharkov.com.ua/images/robux-hack-911.pdfIn PDF document text
    • http://jbm-constructions.com/images/free-roblox-account-with-robux-and-password.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/free-robux-site-youtube.pdfIn PDF document text
    • http://www.awakeningtruth.org/images/business-simulator-roblox-cheat.pdfIn PDF document text
    • https://www.abrapppe.org.br/images/roblox-alien-simolator-hack-script.pdfIn PDF document text
    • https://www.linzgau-kjh.de/images/how-to-free-someone-in-prison-life-roblox.pdfIn PDF document text
    • http://www.nielsen2u.dk/images/anak-roblox-hacking-tool.pdfIn PDF document text
    • https://www.seeingindependence.org/images/free-robux-game-cards.pdfIn PDF document text
    • http://pia2000.net/images/adfly-roblox-hack.pdfIn PDF document text
    • http://belagrogen.by/images/advia-roblox-free.pdfIn PDF document text
    • http://www.bestyears.co.uk/images/roblox-free-items-website.pdfIn PDF document text
    • https://www.academiaanticorrupcion.org/images/free-hacks-for-roblox-counter-blox.pdfIn PDF document text
    • http://k2visual.com.br/images/proxy-site-free-robux.pdfIn PDF document text
    • http://www.nielsen2u.dk/images/hacked-pants-roblox.pdfIn PDF document text
    • http://addair.co.uk/images/free-robux-june.pdfIn PDF document text
    • https://semanasantacehegin.com/images/free-roblox-login-name-and-password.pdfIn PDF document text
    • http://pacatuamigo.com/images/assassin-roblox-hack-on-the-sky.pdfIn PDF document text
    • https://www.stayon.no/images/how-to-hack-roblox-accounts-back.pdfIn PDF document text
    • http://briankellyforcongress.com/images/omg-free-robuxnet16.pdfIn PDF document text
    • http://techmobil.pl/images/dev-roblox-hacks.pdfIn PDF document text
    • http://principessalialaofegypt.com/images/free-roblox-hacks-jailbreak.pdfIn PDF document text
    • http://www.jureclomas.com.ar/images/free-superhero-skin-roblox.pdfIn PDF document text
    • http://bi-bordtennis.dk/images/roblox-hammer-simulator-free-vir-server.pdfIn PDF document text
    • http://www.lycee-langevin-wallon.com/images/obc-for-free-on-roblox.pdfIn PDF document text
    • http://beer-holzhaus.ch/images/roblox-c00lkidd-hack.pdfIn PDF document text
    • https://www.seeingindependence.org/images/roblox-jump-hack-2021.pdfIn PDF document text
    • http://pa-tanjungselor.go.id/images/free-cool-tshirt-roblox.pdfIn PDF document text
    • http://www.mikramarine.gr/images/best-roblox-hacked-clients-2021-youtube.pdfIn PDF document text
    • http://ns1.radiofacil.net/images/free-vip-server-for-speed-race-game-roblox.pdfIn PDF document text
    • http://gamixpaliwa.pl/images/hack-robux-using-google-chrome.pdfIn PDF document text
    • http://shootawayproduction.com/images/how-to-hack-items-into-roblox-shirts.pdfIn PDF document text
    • http://tegeler-segler.de/images/how-to-hack-level-on-roblox-paintball.pdfIn PDF document text
    • http://principessalialaofegypt.com/images/geld-cheat-roblox.pdfIn PDF document text
    • http://abletrustcare.com/images/money-cheats-for-roblox-vehicle-simulator.pdfIn PDF document text
    • http://jobsy.com.sg/images/como-hackear-robux-facil-y-rapido-2021.pdfIn PDF document text
    • http://alexandrion.com/images/freerobux-redeem.pdfIn PDF document text
    • https://www.abrapppe.org.br/images/how-to-enable-the-free-models-searcher-in-roblox-studiuo.pdfIn PDF document text
    • http://jenne-technik.de/images/marshmello-t-shirt-roblox-free.pdfIn PDF document text
    +15 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00008354.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8354 26520 bytes
SHA-256: 2586839a9b855c62c8a350c9f5579d2b0797dd61318f92065b3df9796fb0b246
font_01_sfnt_off0000bf71.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBF71 18848 bytes
SHA-256: c648736185794c12fe23411ae24dc49a212e5387d6d8d776723fc879fd6551d7