PDF static analysis report

Static analysis result for SHA-256 2514396b48c35a11…

SUSPICIOUS

PDF

33.1 KB Created: 2021-07-06 01:53:12 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: af0bef74c7a4222032b02420a5926d36 SHA-1: 7d0899b20cf6892e176b5ebd1a2ea1ddcdd794bf SHA-256: 2514396b48c35a11045799b4a20e331ef1fea49b335950988be321080db59d3b
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains multiple embedded URLs, including one pointing to 'netcdn.tw' which is associated with game cheats and hacks. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs and a visual download lure suggests an attempt to redirect the user to malicious content. No scripts were extracted, but the overall structure and content indicate a phishing or social engineering attempt to trick users into downloading further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/cheats-for-coin-master-game-hack PDF link annotation
    • http://foo.com.tw/files/coin-master-free-cards-link-2021_GM406889139.pdfIn PDF document text
    • http://foo.com.tw/files/free-robux-giver-no-verification_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/how-to-get-free-robux-on-ipad-real_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/hacks-for-roblox-phantom-forces-2021_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/free-roblox-to-play-without-downloading_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/get-free-robux-in-1-minute_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/minecraft-launcher-free_GM479516143.pdfIn PDF document text
    • http://foo.com.tw/files/coin-master-free-stuff_GM406889139.pdfIn PDF document text
    • http://foo.com.tw/files/free-robux-no-verification_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/free-robux-microsoft_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/how-do-u-turn-of-the-hacks-on-roblox_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/coin-master-free-spin-group_GM406889139.pdfIn PDF document text
    • http://foo.com.tw/files/robloxlover69-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/free-minecraft-account-and-password-generator_GM479516143.pdfIn PDF document text
    • http://foo.com.tw/files/minecraft-pocket-edition-free-download_GM479516143.pdfIn PDF document text
    • http://foo.com.tw/files/free-robux-hack-100-real_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/free-robux-2021-august_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/coin-master-spin-and-coins-free_GM406889139.pdfIn PDF document text
    • http://foo.com.tw/files/how-to-change-roblox-username-for-free_GM431946152.pdfIn PDF document text
    • http://foo.com.tw/files/free-robux-with-no-human-verification_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002dbe.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2DBE 22412 bytes
SHA-256: 0ab06eb9668e35bc3a42040448371b54d5fab3afc9e32f14705b11b8ca9adc30
font_01_sfnt_off00005f49.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5F49 18164 bytes
SHA-256: c315ccf9a79b36be1a03c3aee76827ab51131b40fc24ac36c1cd3f6d313de72a