PDF static analysis report

Static analysis result for SHA-256 10aba69acac1489c…

SUSPICIOUS

PDF

48.5 KB Created: 2021-06-11 12:27:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: bdbb760c60c8dc0e404c1dcf9ac69ab6 SHA-1: 4033911e98164bd8170b5547fb67c8414441e553 SHA-256: 10aba69acac1489cd7f00583024aa5f2bf92fb0dcbec32bf28d131fafaa7366a
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an external URI pointing to a download page for game hacks, and the ML classifier strongly flagged it as malicious. The document body, though heavily obfuscated, contains similar URLs and text related to game cheats. The presence of these links suggests the document is intended to trick users into downloading malware disguised as game enhancements.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/egg-hacks-for-roblox-dragon-adventures-game-hack PDF link annotation
    • http://subarulegacy.com/images/coin-master-free-spins-links-2021_GM406889139.pdfIn PDF document text
    • http://subarulegacy.com/images/earn-free-robux-for-roblox_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/rbxcity-free-robux_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/free-robux-meme_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/get-everything-free-roblox-console-pastebin_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/how-to-get-a-free-minecraft-server_GM479516143.pdfIn PDF document text
    • http://subarulegacy.com/images/coin-master-free-spins-link-download_GM406889139.pdfIn PDF document text
    • http://subarulegacy.com/images/free-minecraft-capes_GM479516143.pdfIn PDF document text
    • http://subarulegacy.com/images/best-minecraft-hacked-client-2021_GM479516143.pdfIn PDF document text
    • http://subarulegacy.com/images/pubg-uc-telegram_GM1330123889.pdfIn PDF document text
    • http://subarulegacy.com/images/free-coin-master-game_GM406889139.pdfIn PDF document text
    • http://subarulegacy.com/images/roblox-fly-hack_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/free-robux-2021-no-human-verification_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/free-robux-generator-no-human-verification_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/free-robux-no-human-verification-no-survey_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/free-spin-coin-master-2021-link_GM406889139.pdfIn PDF document text
    • http://subarulegacy.com/images/how-to-get-free-followers-and-likes-on-tiktok_GM835599320.pdfIn PDF document text
    • http://subarulegacy.com/images/download-roblox-mod-free-robux_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/free-robux-with-no-human-verification_GM431946152.pdfIn PDF document text
    • http://subarulegacy.com/images/whats-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000509c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x509C 27220 bytes
SHA-256: aee396f927eb1281bec1887c53691783f081a2d578f09b57add624a26c59f8a8
font_01_sfnt_off00008dca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8DCA 2832 bytes
SHA-256: 77ae1c4cffa647a8fd533dfa4102e94364989f9e80b9cd131876e9d1005899a2
font_02_sfnt_off0000977a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x977A 19332 bytes
SHA-256: e4301df77aa73fdbd550a0eb847ef8ebabc52dfa6d68d6bf8b1f6a967cf00230