PDF static analysis report

Static analysis result for SHA-256 d254c32f7c47cd37…

SUSPICIOUS

PDF

47.7 KB Created: 2021-05-14 01:32:20 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 810906360f109f08e12ed4c37d5a9104 SHA-1: 248f4069ee7c078e87f6fc9a258417194197161f SHA-256: d254c32f7c47cd37bb9505b548abea608ba70d3b2867664a8b472eda0063c6dc
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous URLs and text fragments related to obtaining free Robux and other game-related cheats, indicating a lure for potentially malicious downloads. The ML classifier flagged this PDF with high confidence, and the presence of external URIs suggests an attempt to redirect the user to malicious sites. While no scripts were explicitly extracted, the nature of the content and the external links point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9013

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-get-free-robux-without-doing-anything-2021-game-hack PDF link annotation
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/coin-master-free-shield_GM406889139.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/cheat-codes-for-coin-master_GM406889139.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/coinmasterfreespinlink_GM406889139.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/roblox-hack-app_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/free-games-like-roblox_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/how-to-get-creative-mode-in-minecraft-server-hack_GM479516143.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/websites-that-give-free-robux_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/free-daily-spins-coin-master_GM406889139.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/roblox-pink-free-robux_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/withdraw-robux_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/free-coin-master-spin-app_GM406889139.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/coin-master-free-spins-app-android_GM406889139.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/free-roblox-clothes-templates_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/how-to-get-free-robux-on-roblox-2021_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/free-spin-coin-master-2021_GM406889139.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/how-to-get-free-robux-2021_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/free-roblox-gift-card-codes-2021_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/mcmaster-club-coin-master-hack_GM406889139.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/free-robux-with-no-verification-2021_GM431946152.pdfIn PDF document text
    • https://zephyrtoys.com/assets/ckfinder/userfiles/files/coin-master-free-spin-no-offers_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c4d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C4D 25124 bytes
SHA-256: a8038abfbdd9c14696d2823dda385ecbe84422e436ca205ca95a4f5f4b908e7a
font_01_sfnt_off00008614.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8614 3988 bytes
SHA-256: 1ba32a5139c6de22584ee0f72d573162a644f7c4206fa3a2a8dea775e8e2a087
font_02_sfnt_off00009331.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9331 19804 bytes
SHA-256: 7de61e10f8b36a8651a25a8843179e8b1ecc4bebcf46d2f81f98618caa29dc1a