PDF static analysis report

Static analysis result for SHA-256 1873694f16e6a75b…

SUSPICIOUS

PDF

36.2 KB Created: 2021-07-04 12:28:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 3266defe9ba3509490ba21f86c8a35d5 SHA-1: 17e8405eff7c2946db0032447295aa3bba5b25c3 SHA-256: 1873694f16e6a75b8ec675767fdff49eaf020c11f1fd9777f51e8784520fe00f
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier strongly indicates maliciousness, and the document body contains multiple URLs promoting game hacks and free items. These URLs likely lead to malicious downloads or phishing sites, attempting to trick users into compromising their accounts or systems. No scripts were extracted, but the presence of external URIs and the ML classification suggest a downloader or lure document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/how-to-level-up-hack-on-roblox-phantom-forces-game-hack PDF link annotation
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/coin-master-heaven-free-spins-link_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-bobux_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/how-do-u-get-free-robux-2021_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/como-hackear-coin-master-ios_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/minecraft-free-no-virus_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/how-to-get-free-robux-5-steps_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/roblox-hack-phantom-forces-aimbot_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-spins-coin-master-daily_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/roblox-code-card-free_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/robux-hack-tool-apk_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-robux-promo-codes-2021_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/minecraft-xbox-360-free-download-code_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/knife-hack-roblox_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/wurst-hacked-client-112-2_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/earn-free-robux_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/how-to-get-minecraft-bedrock-edition-for-free_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/how-to-get-your-old-hacked-roblox-account-back_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/roblox-i-want-to-break-free_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/is-there-actually-a-way-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/robux-com-free-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000032ee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32EE 22884 bytes
SHA-256: f0688d60d643b3d3e252fe7afe0e5178396fdde8c665fd2d68f57f17772c3fd0
font_01_sfnt_off0000663d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x663D 19960 bytes
SHA-256: e3128539ec14cd87572dea901be8c485faf9fd4402022552a6a4d5a8d9f5dd01