PDF static analysis report

Static analysis result for SHA-256 270e0a9763794697…

SUSPICIOUS

PDF

42.1 KB Created: 2021-05-19 19:04:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: be0f488cbf15bb27efe11a65a893d31d SHA-1: 505bfe42f4bfc9cbb7f2ff480f5fefd37f339b2d SHA-256: 270e0a9763794697b63bf5827513da8f3203c84dc1fc2175f99b409dc4c6545b
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded URLs pointing to sites offering game-related cheats and hacks, suggesting a lure for users to download malicious content. The ML classifier strongly flagged this PDF as malicious, reinforcing the suspicious nature of the embedded links. The document body, though heavily obfuscated, contains references to 'Pubg Uc Id' and URLs related to game hacks, aligning with the lure strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/1330123889/pubg-uc-id-game-hack PDF link annotation
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/aimbot-exe-roblox_GM431946152.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/free-coin-master-links_GM406889139.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/coin-master-free-spin-2912-2021_GM406889139.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/rbl-gg-free-robux_GM431946152.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/online-hacking-tricks-coin-master_GM406889139.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/uprobuxcom-free-robux_GM431946152.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/coin-master-rewards-app_GM406889139.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/free-robux-generator-com-roblox-hack_GM431946152.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/coin-master-hack-100-working_GM406889139.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/hacks-for-minecraft-bedrock_GM479516143.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/free-robux-generator-2021_GM431946152.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/robux-converter_GM431946152.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/coin-master-hack-generator-tool_GM406889139.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/how-do-we-get-free-robux_GM431946152.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/coin-master-daily-free-spins-25_GM406889139.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/get-free-robux-today_GM431946152.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/coin-master-daily-free-spin-and-coin-link-haktuts_GM406889139.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/minecraft-hacks-18-9_GM479516143.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/coin-master-hack-no-survey-or-verification_GM406889139.pdfIn PDF document text
    • https://sf.nationalbreedingcenter.bz/ckfinder/userfiles/files/robux-hacks-2021_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000048a3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x48A3 25392 bytes
SHA-256: 4981fae112f33b44b4847e3c96c7a70c50ecf5891a10066d4dbf6eb7eb6db105
font_01_sfnt_off000082e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x82E7 18072 bytes
SHA-256: 7285531e4109fc79906030de023d2acbde56661753d3c85b93741f6075f6eec5