PDF static analysis report

Static analysis result for SHA-256 1cf6d149abab32ae…

SUSPICIOUS

PDF

35.8 KB Created: 2021-06-29 14:37:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 401ff4b51f8bce851110fcc21902c03d SHA-1: 78ac327f6ad4e975350b8c085f3132eec9c45db1 SHA-256: 1cf6d149abab32aea966141ad72ba5b49da4866da03f84684e7b1dac26a7e87a
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains embedded URLs and text promoting game hacks, strongly suggesting a lure to download malicious content. The ML classifier also flagged this PDF as malicious with high confidence. The presence of external URIs and the overall context indicate an attempt to trick users into downloading a second-stage payload, likely related to game cheating tools but potentially malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-aimbot-hack-v3rmillion-phantom-2021-game-hack PDF link annotation
    • https://financia-business-school.com/static/upload/files/free-google-play-promo-codes-coin-master_GM406889139.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/free-whatsapp-tik-tok-status-download_GM835599320.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/google-play-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/roblox-report-hacker_GM431946152.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/coin-master-hack-apk_GM406889139.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/coin-master-daily-bonus_GM406889139.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/minecraft-hacks_GM479516143.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/coin-master-gameplay_GM406889139.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/free-minecraft-hacks_GM479516143.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/roblox-high-school-2-money-cheats_GM431946152.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/tradelands-roblox-cheats_GM431946152.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/pokemon-go-free-friends_GM1094591345.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/how-to-change-roblox-username-for-free-2021_GM431946152.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/coin-master-free-spins-2021-blogspot_GM406889139.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/best-free-exploits-roblox_GM431946152.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/free-robux-with-no-verification_GM431946152.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/how-to-hack-the-living-dead-roblox_GM431946152.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/free-robux-wheel_GM431946152.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/code-free-robux_GM431946152.pdfIn PDF document text
    • https://financia-business-school.com/static/upload/files/how-to-get-free-robux-without-verifying-2021_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000327a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x327A 22152 bytes
SHA-256: 1367dbcdb035d7b2d85422f3df864749618ab74aa48278b5a9b3b4b7ac61c89f
font_01_sfnt_off00006382.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6382 20172 bytes
SHA-256: 88c3aeb605c397ae2d3766d737b85bb4035c5d66f06d8f18fc482e6319afb130