PDF static analysis report

Static analysis result for SHA-256 ccc238c8caef2d94…

SUSPICIOUS

PDF

38.4 KB Created: 2021-06-29 08:40:43 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 720d5c54f241d52225197cdb1496345b SHA-1: 549b7684838ca9c3a9c0927292a4cc0c66a8d084 SHA-256: ccc238c8caef2d942e74c644dfa90befae61186d640a3d8f4d42f3a37937684d
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a document body that explicitly promises methods to 'hack Roblox items' and obtain 'free Robux'. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous links to external sites suggests an attempt to redirect users to download malicious content or visit phishing pages. No scripts were extracted from this sample, but the overall pattern indicates a social engineering lure for potentially harmful downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/how-to-hack-roblox-items-on-to-your-account-game-hack PDF link annotation
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/www-free-robux_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/free-robux-no-downloading-apps_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/free-robux-scams_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-to-get-free-robux-2021_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/roblox-hack-no-verification-2021_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/coin-master-hack-using-cheat-engine_GM406889139.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/uirbx-club-roblox-robux-hack-free-robux-generator_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/25-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/google-how-do-you-get-free-robux_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-to-get-free-robux-without-downloading-any-apps_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/robux-generator-com_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/minecraft-windows-10-mod-menu_GM479516143.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/coin-master-card-hack-apk_GM406889139.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/buy-tiktok-followers-free_GM835599320.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/robux-generator-2021_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/minecraft-servers-that-allow-hacks_GM479516143.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-to-get-free-robux-inspect_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-to-get-free-robux-no-robot-proof_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/how-to-get-the-free-pop-corn-hat-roblox_GM431946152.pdfIn PDF document text
    • http://www.technibuild-group.com/uploaded_files/userfiles/files/roblox-hack-me_GM431946152.pdfIn PDF document text
    • https://www.roblox.com/.IIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003d55.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3D55 22704 bytes
SHA-256: 94a76290ea62a1b934bc8c663abb1e69736d2e75e5f4f2db52a50950d3622313
font_01_sfnt_off00006fe6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6FE6 19484 bytes
SHA-256: 36b0f645bef0ca878d1d5904ac670dc2f7e4bc0d45e95ae6a71b4f3c465facdc