PDF static analysis report

Static analysis result for SHA-256 1e54626104a38acb…

SUSPICIOUS

PDF

48.3 KB Created: 2021-06-08 10:30:22 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 2c7907f7b08a96bd8584e14438a41187 SHA-1: 7cc7f23299c0f430ab6761a3014c5682b3e4de47 SHA-256: 1e54626104a38acb0c7a468b5e8711a525ca587c3738e3534fa7a6d58b1b606b
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The ML classifier and embedded URI strongly indicate malicious intent, likely to trick users into downloading malware or visiting scam sites. The document body and extracted URLs advertise free in-game items for popular games like Roblox and Coin Master, a common lure for phishing and malware distribution. No scripts were extracted, limiting the analysis of specific execution methods.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/roblox-no-download-free-play-game-hack PDF link annotation
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/free-robux-hack-2021_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/roblox-wizard-life-hack_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/coin-master-free-spins-daily_GM406889139.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-and-builders-club-2021_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/coin-master-free-spins-and-coins_GM406889139.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/coin-master-free-daily-spins-link_GM406889139.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/how-you-get-free-robux_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/minecraft-life-hacks_GM479516143.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/free-spins-coin-master-links_GM406889139.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/free-roblox-shirts-templates_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/minecraft-hacker-skin_GM479516143.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/free-modded-minecraft-server-hosting_GM479516143.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-on-phone_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/minecraft-hacked-client_GM479516143.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/roblox-land-free-robux_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/how-can-you-get-free-robux_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/free-robux-come_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/how-to-hack-builderman-roblox-account-2021_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/roblox36com-free-robux_GM431946152.pdfIn PDF document text
    • http://elearning.min2bolmong.sch.id/__statics/gudangsoal/files/how-to-get-minecraft-for-free-on-mobile_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000051ab.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x51AB 26000 bytes
SHA-256: c257362ef5a01543aa2f2bbd35f67c5433a6e3b7d29de37d3ef73762cc2cd816
font_01_sfnt_off00008d82.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8D82 2940 bytes
SHA-256: eb230542719c96b42e3fd8bb01e35f13ebd5f02629049da3a58e7fd7607bf48a
font_02_sfnt_off00009792.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9792 19016 bytes
SHA-256: 352d95129e9d438ffe72b4620617583b1fcbf3e438818904ece82854611d9d1a