PDF static analysis report

Static analysis result for SHA-256 13c607b700943b38…

SUSPICIOUS

PDF

46.6 KB Created: 2021-05-16 01:38:04 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 8d46cb83c1929da87c2b5a7fb2188dd3 SHA-1: 5513472df246deac6d8822fce564078e281c565d SHA-256: 13c607b700943b3820db833c3bbcfdd7b92cb6c0bb1ff6ef38530941b42d4809
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains an embedded URI pointing to a URL associated with game hacks and in-game currency, strongly suggesting a lure for users seeking such content. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the presence of external URIs and the document's theme indicate an attempt to redirect the user to a site that likely hosts a secondary payload or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8948

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-do-you-get-robux-game-hack PDF link annotation
    • http://itbits.ie/images/coin-master-hack-apk-facebook-login_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/how-to-get-free-spins-in-coin-master_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/free-robux-without-survey_GM431946152.pdfIn PDF document text
    • http://itbits.ie/images/free-roblox-codes-2021_GM431946152.pdfIn PDF document text
    • http://itbits.ie/images/wurst-client-112-2_GM479516143.pdfIn PDF document text
    • http://itbits.ie/images/free-robux-com_GM431946152.pdfIn PDF document text
    • http://itbits.ie/images/free-robux-generator-no-verification-2021_GM431946152.pdfIn PDF document text
    • http://itbits.ie/images/coin-master-hack-tool-for-pc_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/coin-master-free-spins-and-coins_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/freegames911com-coinmastertipsandcheats2021freecoinsandspins_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/coin-master-hack-2021-android-apk_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/free-links-for-coin-master_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/coin-master-hack-unlimited-spins-game-download_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/free-robux-no-human-verification-or-survey-2021_GM431946152.pdfIn PDF document text
    • http://itbits.ie/images/robux-sites_GM431946152.pdfIn PDF document text
    • http://itbits.ie/images/moon-static-coin-master-generator-hacks-free_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/roblox-hack-ios_GM431946152.pdfIn PDF document text
    • http://itbits.ie/images/minecraft-games-free-to-play-online_GM479516143.pdfIn PDF document text
    • http://itbits.ie/images/coin-master-hack-apk-free-download_GM406889139.pdfIn PDF document text
    • http://itbits.ie/images/free-role-in-coin-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c0f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C0F 26100 bytes
SHA-256: ac38cfe3d1aa6847597c356c6dfe4c6a57d3a6a4b3619ad925e95e96fa3749f5
font_01_sfnt_off000088d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x88D1 2816 bytes
SHA-256: 4555740682277f0055d57b15bd0ba953e5b51415ea3d21c93db391eace072d4f
font_02_sfnt_off000092e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x92E2 18448 bytes
SHA-256: d9f15c8d06a9f68edc08429574edcd345d0edfc323a0421ca163819fb1e2672f