PDF static analysis report

Static analysis result for SHA-256 18ee8b178663abc4…

SUSPICIOUS

PDF

45.2 KB Created: 2021-05-16 08:08:41 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 2667ce812dfb7d21d7317fe72767ba22 SHA-1: 7c6f2aa169c6ea849f1628b9027bda683254814c SHA-256: 18ee8b178663abc4f40cbb4e8838a69c9040480eaf036a38a771b67184f946a0
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains embedded links and a visual download button, suggesting a lure to download potentially malicious content. The ML classifier also flagged this PDF with high confidence. The document body, though partially corrupted, contains URLs related to game mods and free in-game currency, indicating a social engineering pretext.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9621

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/chisel-and-bits-mod-minecraft-pe-game-hack PDF link annotation
    • https://schaefer-rechtsanwaelte.com/images/how-to-get-free-robux-for-real_GM431946152.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/minecraft-xbox-360-free_GM479516143.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/apps-for-free-robux_GM431946152.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/roblox-com-free_GM431946152.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/coin-master-tiradas-gratis_GM406889139.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/how-to-get-free-robux-on-ipad_GM431946152.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/daily-free-spins-for-coin-master_GM406889139.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/minecraft-pc-free_GM479516143.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/coin-master-free-spins-facebook_GM406889139.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/free-minecraft-worlds_GM479516143.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/how-to-make-a-free-server-in-minecraft-java_GM479516143.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/reddit-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/coin-master-free-spins-and-chips_GM406889139.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/earn-robux-today_GM431946152.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/free-robux-no-verification-no-download-2021_GM431946152.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/master-coin-free-spin_GM406889139.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/minecraft-gun-games-free_GM479516143.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/how-to-get-minecraft-bedrock-for-free_GM479516143.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/spin-links-for-coin-master_GM406889139.pdfIn PDF document text
    • https://schaefer-rechtsanwaelte.com/images/haktuts-coin-master-free-daily-spins_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c4e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C4E 24480 bytes
SHA-256: 2b3fbedccf3504800ec4118faab65e088b352c549795ae41da1d526b921c6248
font_01_sfnt_off000083d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x83D1 2912 bytes
SHA-256: 02b35010e2614e3cc95ac6414c49295350c91fdfcc4b4cad27ffdbc10e80df7f
font_02_sfnt_off00008dcd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8DCD 18492 bytes
SHA-256: 61a31027f058db0827ef217670a8e1f5e2a0522dc8390d68666358c3512875fc