PDF static analysis report

Static analysis result for SHA-256 11b9011e862ca360…

SUSPICIOUS

PDF

48.0 KB Created: 2021-06-08 18:47:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 16766a787cff300cf3972249ac807172 SHA-1: 1353d9d6133e71c71ad2f521f11f6bd4df8e00a0 SHA-256: 11b9011e862ca3605bed5f11be9c673fa36b48b1b3e6d46b2aed5066d0945d5d
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded URLs and a prominent external URI pointing to sites offering game hacks and free items, suggesting a lure for users to download potentially malicious content. The ML classifier also flagged this PDF with high confidence, reinforcing the suspicious nature of the document's content and its likely intent to deceive users into clicking malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/roblox-murder-mystery-2-knife-hack-game-hack PDF link annotation
    • https://ezgolfer.com.tw/image/data/files/free-robux-app-real_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/coin-master-free-spins-link-2021-today_GM406889139.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/free-magical-chest-coin-master_GM406889139.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/how-to-get-100-robux-for-free_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/oprewards-free-robux_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/free-robux-by-watching-ads_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/free-robux-live_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/free-robux-no-apps_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/robux-match_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/free-roblox-promo-codes-for-robux_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/roblox-free-robux-no-verification_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/how-to-free-robux_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/coin-master-free-cards-hack_GM406889139.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/free-tiktok-likes-and-fans_GM835599320.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/coin-master-free-spins-2021-generator_GM406889139.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/roblox-free-rubox_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/robux-generator-no-survey_GM431946152.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/coin-master-hack-tool-v1-9-apk_GM406889139.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/get-coin-master-hack_GM406889139.pdfIn PDF document text
    • https://ezgolfer.com.tw/image/data/files/free-robux-redeem-codes-2021_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000508c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x508C 25728 bytes
SHA-256: 146510eaaf9f344db389b8556fcc6db5ef8ac204c1f458805b82b29dfc5a2990
font_01_sfnt_off00008b9e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8B9E 2924 bytes
SHA-256: 11abf8d39497a5b3dfd2863590cc57af88b0c1f577d8c0ace77b52b4e3272b73
font_02_sfnt_off000095ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x95BA 19220 bytes
SHA-256: 3522ee5cd63f321e86dc274f10581780c7af521a3287689db26ee74518613278