PDF static analysis report

Static analysis result for SHA-256 04d4a4bc313fdb89…

SUSPICIOUS

PDF

35.4 KB Created: 2021-06-30 02:42:30 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: a51cf247e5663257f8277cc400c56b02 SHA-1: d932a862211992da98e72e1d7873bfdc6b95cc7e SHA-256: 04d4a4bc313fdb89f3884d5fea360d08c2d55ae311de53ea8306199e784e414f
50 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and a prominent URL suggesting a download lure for a game hack. The ML classifier strongly flagged this PDF as malicious, and the presence of JavaScript indicates an attempt to execute code. The document body and extracted URLs reinforce the theme of providing game cheats or hacks, which is a common social engineering tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/btools-hack-for-roblox-link-game-hack PDF link annotation
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/free-games-like-minecraft_GM479516143.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/free-roblox-accounts-with-robux-2021_GM431946152.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/free-robux-no-verification-no-survey_GM431946152.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/how-to-get-free-coins-on-coin-master-iphone_GM406889139.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/coin-master-hack-https-coinms-net_GM406889139.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/how-to-get-free-robux-on-computer_GM431946152.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/roblox-hack-game_GM431946152.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/free-coin-master-spins-and-coins-for-daily_GM406889139.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/how-to-get-free-tiktok-followers-without-human-verification_GM835599320.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/free-spin-link-for-coin-master_GM406889139.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/mcpe-hack-client_GM479516143.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/nomnomnom1-roblox-hacker_GM431946152.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/tiktok-free-cuthbert_GM835599320.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/bux-free-robux_GM431946152.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/free-unlimited-robux_GM431946152.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/coin-master-daily-free-spins-link_GM406889139.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/2021-unpatchable-how-to-noclip-hack-on-roblox_GM431946152.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/roblox-project-overrising-hack_GM431946152.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/mcpe-master-hack-unlimited-coins_GM406889139.pdfIn PDF document text
    • http://www.erealitysolutions.com/assets/dealercmslogin/js/ckfinder/userfiles/files/rbxoffer-com-free-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003304.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3304 22536 bytes
SHA-256: ce4f37ddfb7a01dd5fb5ac9bcd47542d07789fccc902138021eae0008e7fe8d3
font_01_sfnt_off00006562.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6562 19044 bytes
SHA-256: dc913086b1a8b176b50677ea5e770f0085627d1474101706157346920678e343