PDF static analysis report

Static analysis result for SHA-256 0966aa016490d4e9…

SUSPICIOUS

PDF

47.7 KB Created: 2021-06-09 16:59:54 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 1b4e950d171d18f1ab377940608c5a81 SHA-1: a3dd85172ad3c42be613d414fbbbfc169f5ea650 SHA-256: 0966aa016490d4e93822ccde326e38e25f08eba765640c31cd8cb854db27bc98
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains embedded URLs and a visual download button lure, suggesting an attempt to trick the user into downloading malicious content. The ML classifier also flagged this PDF as malicious with high confidence. The primary IOC is the external URL pointing to a potential payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9769

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/hack.com-roblox-robloxian-game-hack PDF link annotation
    • http://perpustakaan-stikesmsb.com/repository/free-minecraft-server-maker_GM479516143.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/free-spins-on-coin-master-game_GM406889139.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/how-to-get-free-ninja-animation-in-roblox_GM431946152.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/coin-master-fun-free-spins_GM406889139.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/lazy-blocks-com-free-robux_GM431946152.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/aimbot-download-roblox_GM431946152.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/free-minecraft-hosting_GM479516143.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/how-do-you-get-minecraft-for-free_GM479516143.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/how-to-hack-coin-master-ios-2021_GM406889139.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/how-to-hack-roblox-2021_GM431946152.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/roblox-hack-download_GM431946152.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/coin-master-free-spin-and-coins-links_GM406889139.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/free-robux-no-human-verification-or-survey-or-download-2021_GM431946152.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/free-robux-meme_GM431946152.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/pokemon-go-free-walker_GM1094591345.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/how-to-get-minecraft-windows-10-edition-for-free_GM479516143.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/coin-master-hack-apk-35-11_GM406889139.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/roblox-place-rewards_GM431946152.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/free-robux-redeem-codes_GM431946152.pdfIn PDF document text
    • http://perpustakaan-stikesmsb.com/repository/roblox-verification_GM431946152.pdfIn PDF document text
    • https://www.micIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005344.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5344 24972 bytes
SHA-256: ed08056e3d19f198c5e8ad39296003f89d0d814616363d317cf3fbdac3a240d2
font_01_sfnt_off00008c9c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8C9C 2880 bytes
SHA-256: 106de1d187d148d03f5c34a802444a7e62d93662ddf359d17cd55770c6c16081
font_02_sfnt_off0000968d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x968D 18628 bytes
SHA-256: ee6b001b45e0cd8fd9015bb6f325bec083da12d13b9054095bf8a169725ee846