PDF static analysis report

Static analysis result for SHA-256 df3edb393bb8bcbe…

SUSPICIOUS

PDF

40.7 KB Created: 2021-05-10 20:36:25 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: ae974d193842b2424bb4981b705c7d1b SHA-1: 41eea28fce2187d91b4f97c064dfcfa5abced181 SHA-256: df3edb393bb8bcbe102b6bdbe161529adaefcecc06dad3a05aa57a548df836cb
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded URL pointing to a file named 'robux-gainer-game-hack', which is highly indicative of a malicious download lure. The document body, though partially garbled, contains references to 'Robux Gainer' and the same URL, reinforcing the phishing attempt. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/robux-gainer-game-hack PDF link annotation
    • https://www.anagoria.com/images/how-to-get-free-robux-generator_GM431946152.pdfIn PDF document text
    • https://www.anagoria.com/images/coin-master-extra-spins_GM406889139.pdfIn PDF document text
    • https://www.anagoria.com/images/coin-master-free-spins-1-coin-master_GM406889139.pdfIn PDF document text
    • https://www.anagoria.com/images/roblox-images_GM431946152.pdfIn PDF document text
    • https://www.anagoria.com/images/free-account-roblox-with-robux_GM431946152.pdfIn PDF document text
    • https://www.anagoria.com/images/free-robux-gift-card-generator_GM431946152.pdfIn PDF document text
    • https://www.anagoria.com/images/coinmaster-spin-ml-free_GM406889139.pdfIn PDF document text
    • https://www.anagoria.com/images/free-minecraft-hosting_GM479516143.pdfIn PDF document text
    • https://www.anagoria.com/images/free-robux-2021-no-human-verification_GM431946152.pdfIn PDF document text
    • https://www.anagoria.com/images/robux-com-free_GM431946152.pdfIn PDF document text
    • https://www.anagoria.com/images/coin-master-rewards_GM406889139.pdfIn PDF document text
    • https://www.anagoria.com/images/how-to-get-free-minecraft-skins_GM479516143.pdfIn PDF document text
    • https://www.anagoria.com/images/moonactive-coin-master-hack_GM406889139.pdfIn PDF document text
    • https://www.anagoria.com/images/100-free-spins-on-coin-master_GM406889139.pdfIn PDF document text
    • https://www.anagoria.com/images/can-i-get-minecraft-for-free_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000040e4.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x40E4 25716 bytes
SHA-256: 68f7ca833659dff33adf874378bc2dc72c414a675a84449d8dc79266db33e5fb
font_01_sfnt_off00007d2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7D2C 18200 bytes
SHA-256: b49f4983386c5e2433966410528fc3ba3932a5551bf841ef6afc48143acf477f