PDF static analysis report

Static analysis result for SHA-256 e62dee6326780f8c…

SUSPICIOUS

PDF

48.8 KB Created: 2021-05-03 03:57:29 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: cf4b05b3de073919cfc223d375e24e33 SHA-1: 703c12297440cc1bad18958142a91dbae0db7c0c SHA-256: e62dee6326780f8ca48afd5e338ae512f7a5712ec521fec5d5b8e1a31ef437bf
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains an external URI pointing to a URL that appears to be a lure for game cheat codes. The ML classifier flagged this PDF as malicious with high confidence. The presence of multiple embedded URLs, some of which are truncated in the evidence, suggests an attempt to redirect the user to download further content. No scripts were extracted from this sample, but the overall structure and embedded links indicate a phishing or social engineering attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9764

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/cheat-codes-for-ninja-assassin-roblox-game-hack PDF link annotation
    • https://lib.stie-yai.ac.id/repository/robux-free-von-roblox.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/bloxrp-money-hack-roblox.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/free-robux-no-human-verification-or-survey-2021-on-ipad.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/como-activar-hacks-en-roblox.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/how-do-you-hack-roblox-accounts-2021.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/roblox-kids-free-robux.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/free-coins-in-roblox-rb-world-2.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/roblox-hack-website-no-survey.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/free-inject-roblox-hacks.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/free-robux-codes-generator-works.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004385.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4385 26680 bytes
SHA-256: 10c3d97f0b34e5ac419b4faeed537d4ea4bf214a31311df4260639657fa13835
font_01_sfnt_off00008040.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8040 11440 bytes
SHA-256: 154d59d1680f2d1e38ccb783d6997f344290d121007e51df331726de4128c12e
font_02_sfnt_off00009b61.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9B61 18928 bytes
SHA-256: 0309786fce838bf44b4e26ab5d29c0a57eeca7a8a16d83fa2ffe107401f3e0a5