PDF static analysis report

Static analysis result for SHA-256 20b89d02be192c9a…

SUSPICIOUS

PDF

35.8 KB Created: 2021-07-03 23:52:27 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 478ee5e82dd7433db1b19c8d6e914a6f SHA-1: d237c443d6302c0ef66ee87ced66088d1b8c57bb SHA-256: 20b89d02be192c9a58bbfe385d5b478d1f2e854ec1abce58baccdacd4c24ac6c
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded URLs and a heuristic firing for an external URI, all pointing to sites offering game hacks and free in-game currency. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were extracted, the presence of numerous links to potentially malicious download sites suggests the document is designed to trick users into downloading malware or unwanted software.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/coin-and-spin-game-hack PDF link annotation
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/minecraft-pocket-edition-free-apk_GM479516143.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/coin-master-game-hacks_GM406889139.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/plug-toolbox-for-minecraft-free-ios_GM479516143.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/coin-master-daily-free-spins-haktuts_GM406889139.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/download-roblox-for-free-seash_GM431946152.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/free-robux-without-verification_GM431946152.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/get-free-robux-gg_GM431946152.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/free-spins-coin-master-without-survey_GM406889139.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/roblox-robux-hack-1-easy-step_GM431946152.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/free-roblox-robux-generator-2021-no-human-verification-scam_GM431946152.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/roblox-mod-apk-free-robux-2385202134_GM431946152.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/coin-master-daily-free-spins-and-coins_GM406889139.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/how-do-you-get-free-roblox-money_GM431946152.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/free-coin-master-spins-link-facebook_GM406889139.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/daily-coin-master-spins_GM406889139.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/roblox-project-pokemon-hack-2021_GM431946152.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/robux-generator-no-verification-needed_GM431946152.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/how-to-download-minecraft-for-free_GM479516143.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/free-minecraft-skin-creator_GM479516143.pdfIn PDF document text
    • http://kmh.ddnsthailand.com/ckfinder/userfiles/files/free-roblox-generator-no-survey_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003436.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3436 23660 bytes
SHA-256: d85d3a24b619b4bbde5c4b227b03ab3f96e99a7560a71cbd578fe3b0606ccee1
font_01_sfnt_off00006a0e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A0E 18080 bytes
SHA-256: 74e2f50f1d5b9f4143732ae52f695821b99bc90421c1d391145282a45e766ee9