PDF static analysis report

Static analysis result for SHA-256 c8d9a2a2de91a713…

SUSPICIOUS

PDF

61.7 KB Created: 2021-04-05 19:40:36 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 8a800926589a2403ba1d154dd2f989b4 SHA-1: 513beafe843338c97df2e2ebefd0857929b73d2b SHA-256: c8d9a2a2de91a7131a2c1cccc98faf19f76ffcde2bec30da54ee67a449a574da
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a prominent link and text related to obtaining free items for the game Roblox, which is a common lure for malicious downloads. The ML classifier also flagged the PDF as malicious. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the lure suggest an attempt to trick the user into downloading a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6193

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/free-jordan-shirt-roblox PDF link annotation
    • http://grand-ural74.ru/images/to-cash-free-robux.pdfIn PDF document text
    • http://ptts.pl/images/speed-hack-roblox-cheat-engine-62.pdfIn PDF document text
    • https://bancroftandsons.com/images/hack-yourself-levels-in-roblox-phantom-forces.pdfIn PDF document text
    • http://www.malonmalon.com.ar/images/roblox-how-to-hack-a-perso.pdfIn PDF document text
    • http://bwharrisalumniusa.org/images/how-to-hack-a-roblox-game-easy.pdfIn PDF document text
    • http://bb-im2.com/images/get-free-bc-tbc-obc-roblox.pdfIn PDF document text
    • http://abst-brandschutztechnik.com/images/how-to-get-all-catalog-free-roblox.pdfIn PDF document text
    • http://eltisstudio.sk/images/how-to-hack-roblox-2021-december.pdfIn PDF document text
    • http://southernhills-golf.com/images/how-to-change-username-free-no-waiting-robux.pdfIn PDF document text
    • https://pompesfunebresleveque.fr/images/how-to-create-a-free-group-on-roblox.pdfIn PDF document text
    • http://bkd1.balikpapan.go.id/images/how-to-hack-roblox-murder-mystery-2.pdfIn PDF document text
    • https://inscastellar.cat/images/roblox-robux-hack-november-2021.pdfIn PDF document text
    • https://www.tqma.com.ec/images/roblox-how-to-be-a-nerd-no-robux-or-hacks.pdfIn PDF document text
    • http://www.mjclautrec.fr/images/doge-roblox-hat-free.pdfIn PDF document text
    • http://www.hotelcomelico.it/images/how-to-get-robux-easy-with-a-hack.pdfIn PDF document text
    • http://www.exikom.com.ua/images/roblox-websites-that-give-free-robux.pdfIn PDF document text
    • http://italymania.ru/images/how-to-hack-roblox-for-robux-script.pdfIn PDF document text
    • http://www.gravel.ru/images/roblox-how-to-get-everything-for-free.pdfIn PDF document text
    • https://www.lavigny.ch/images/roblox-hacks-x-ray-2021.pdfIn PDF document text
    • https://www.iadh.bi/images/free-robux-gift-card-codes-generator.pdfIn PDF document text
    • https://technospektr.com.ua/images/roblox-exploit-mega-nz-free-emperor-roblox-hack-mega-nz.pdfIn PDF document text
    • http://dos.most.gov.la/images/free-item-with-card-purchase-roblox.pdfIn PDF document text
    • http://zarinnameh.ir/images/roblox-troll-script-hack-pastebin.pdfIn PDF document text
    • https://www.ghknights.org/images/roblox-ingame-item-hack.pdfIn PDF document text
    • https://komakinosite.jp/images/how-to-get-free-robux-card-codes-parody-of-robuxian.pdfIn PDF document text
    • http://asiasieja.pl/images/roblox-treelands-free-uncopylock.pdfIn PDF document text
    • http://www.torvet11.dk/images/roblox-screen-recorder-free.pdfIn PDF document text
    • https://www.air-shop.cz/images/roblox-admin-hacks-2021.pdfIn PDF document text
    • http://legitame.org/images/what-to-do-if-your-roblox-account-is-hacked.pdfIn PDF document text
    • https://www.air-shop.cz/images/how-to-get-free-robux-one-step.pdfIn PDF document text
    • http://gops.pruszczgdanski.pl/images/free-promo-codes-for-roblox-2021-not-expired-robux.pdfIn PDF document text
    • http://www.eaapiaria.es/images/is-roblox-free-on-three.pdfIn PDF document text
    • http://adues.org/images/hacks-for-roblox-jailbreak-noclip-no-email.pdfIn PDF document text
    • https://www.apartmanychorvatsko24.cz/images/cheat-roblox-jailbreak-android.pdfIn PDF document text
    • http://danielkleiboemer.de/images/free-robux-no-verification-2021.pdfIn PDF document text
    • https://www.ncscolour.no/images/hacker-bubble-gum-simulator-de-roblox.pdfIn PDF document text
    • http://eddegrootassurantien.nl/images/roblox-hack-inspect-element-2021.pdfIn PDF document text
    • http://aiyta.com/images/robux-robux-free-roblox.pdfIn PDF document text
    • http://lv-siegen.de/images/get-free-robux-no-human-verification-2021.pdfIn PDF document text
    • http://energotestcontrol.ru/images/how-to-hack-roblox-fort-albreta.pdfIn PDF document text
    • https://socialvalue.gr/images/free-roblox-codes-that-give-you-robux.pdfIn PDF document text
    • https://www.linzgau-kjh.de/images/download-cheat-for-roblox-android-1com.pdfIn PDF document text
    • http://unc-europe.com/images/descargar-roblox-hackeado-para-pc-2021.pdfIn PDF document text
    • http://bufbd.org/images/how-get-robux-for-free-in-roblox-2021.pdfIn PDF document text
    • http://yochin.org.tw/images/how-do-you-hack-roblox-on-a-phone.pdfIn PDF document text
    • https://kimolos-link.gr/images/foxyhackscom-free-robux.pdfIn PDF document text
    • http://www.copoint.co.uk/images/free-onlne-roblox.pdfIn PDF document text
    • http://intrasservices.com/images/cheat-engine-lua-script-roblox.pdfIn PDF document text
    • http://vagency.us/images/guess-that-song-cheat-sheet-roblox.pdfIn PDF document text
    +21 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00008535.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8535 27496 bytes
SHA-256: 2aad396e1a947da8546f135abeed6a3327bbfba07ee0f02b147f31f356af2365
font_01_sfnt_off0000c3fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC3FB 2832 bytes
SHA-256: 77ae1c4cffa647a8fd533dfa4102e94364989f9e80b9cd131876e9d1005899a2
font_02_sfnt_off0000cdab.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCDAB 18300 bytes
SHA-256: 4b7be2feaeb6ba59dbbea3fd440c1d03a87945ceff53bd08fe50b402c773d291