PDF static analysis report

Static analysis result for SHA-256 0060c6658a8b18f2…

SUSPICIOUS

PDF

49.3 KB Created: 2021-06-04 00:23:37 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 0a16ed4e732087dc3f1167c26f0ac624 SHA-1: 2bdfe6286cb7fa3e5c432df58805db30d00b9e83 SHA-256: 0060c6658a8b18f2315067360323d57766598c5587fdd70754f7d1e8ad7045b2
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an embedded URL that leads to a domain known for distributing potentially unwanted or malicious files, disguised as game cheats. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the content suggest an attempt to trick the user into downloading a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/431946152/how-to-fly-hack-in-sword-simulator-roblox-game-hack PDF link annotation
    • http://perpus.stmik-im.ac.id/repository/roblox-password-hacker_GM431946152.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/get-free-robux-gg_GM431946152.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/roblox-2021_GM431946152.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/free-robux-real-working_GM431946152.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/how-to-hack-coin-master-ios-no-jailbreak_GM406889139.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/how-to-download-minecraft-for-free-on-your-phone_GM479516143.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/minecraft-linux-free_GM479516143.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/coin-master-free-daily-rewards_GM406889139.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/minecraft-java-edition-download-free_GM479516143.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/coin-master-free-download_GM406889139.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/coin-master-rewards-free-spins_GM406889139.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/robux-hack-tools_GM431946152.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/robux-free-co_GM431946152.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/hack-master-coin-pc_GM406889139.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/free-coin-master-coins-2021_GM406889139.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/roblox-free-robux_GM431946152.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/how-to-get-free-robux-no-survey_GM431946152.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/roblox-no-download-hack_GM431946152.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/hackear-coin-master_GM406889139.pdfIn PDF document text
    • http://perpus.stmik-im.ac.id/repository/coin-master-free-link-2021_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000532a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x532A 27104 bytes
SHA-256: 9c4523571072590e0f56917a6309492b3221a162c951be2435828984504163e5
font_01_sfnt_off000090ac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x90AC 2940 bytes
SHA-256: ae8acc7f13e86db3aed98d7dfb73e70e16f4dedb45e9f0467460b76f54e1a1bb
font_02_sfnt_off00009aba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9ABA 19488 bytes
SHA-256: 9976c113c951129fb9af1f88c662e9654fdd1f3e2db87133e8e2800fb58330be