PDF static analysis report

Static analysis result for SHA-256 275e9160ade96114…

SUSPICIOUS

PDF

46.4 KB Created: 2021-05-12 13:11:00 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 06429f7b57231dc46ae9f327b16a417d SHA-1: e32e8e2c4958fa3b5401abbbe26288e372de01a5 SHA-256: 275e9160ade96114fb667ac5b2beed2231f7f3269f0a12c892ccd7314c13d9d3
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier and embedded URI heuristics indicate malicious intent. The document body contains links to websites that appear to be lures for free game currency or services, suggesting a phishing or scam operation. Although no scripts were explicitly extracted, the presence of embedded URIs and the ML detection strongly suggest the PDF is designed to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8948

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/best-free-minecraft-server-hosting-reddit-game-hack PDF link annotation
    • http://www.wholesomeliving.in/uploaded_files/userfiles/files/free-robux-generator-for-roblox-2021_GM431946152.pdfIn PDF document text
    • http://www.wholesomeliving.in/uploaded_files/userfiles/files/how-to-use-scripts-in-roblox-hack_GM431946152.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/how-to-get-free-spins-on-coin-master-2021_GM406889139.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/roblox-studio-free-robux_GM431946152.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/coin-master-hacks-for-spins_GM406889139.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/coin-master-levels_GM406889139.pdfIn PDF document text
    • http://www.wholesomeliving.in/uploaded_files/userfiles/files/hackear-coin-master-espaol_GM406889139.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/get-free-robux-generator_GM431946152.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/roblox-free-robux-hack_GM431946152.pdfIn PDF document text
    • http://www.wholesomeliving.in/uploaded_files/userfiles/files/free-spins-coin-master-app_GM406889139.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/free-robux-offers_GM431946152.pdfIn PDF document text
    • http://www.wholesomeliving.in/uploaded_files/userfiles/files/wurst-115-2_GM479516143.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/free-spins-for-coin-master-that-work_GM406889139.pdfIn PDF document text
    • http://www.wholesomeliving.in/uploaded_files/userfiles/files/how-to-hack-roblox-accounts-for-robux_GM431946152.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/free-spin-today-coin-master_GM406889139.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/how-to-get-free-robux-website_GM431946152.pdfIn PDF document text
    • http://www.wholesomeliving.in/uploaded_files/userfiles/files/free-robux-no-human-verification-2021_GM431946152.pdfIn PDF document text
    • http://www.wholesomeliving.in/uploaded_files/userfiles/files/master-game_GM406889139.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/roblox-arsenal-hack_GM431946152.pdfIn PDF document text
    • https://www.wholesomeliving.in/uploaded_files/userfiles/files/free-spin-coin-master-new-link_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004b65.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B65 26680 bytes
SHA-256: be6389804830dccdcff76970f55616c13dab112144d325e65759838870120a1e
font_01_sfnt_off000087da.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x87DA 3056 bytes
SHA-256: dd24a0ab94df4552e459bd06fd01b0fd3f021c1d51d1d64407070e735974a028
font_02_sfnt_off0000924d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x924D 18504 bytes
SHA-256: d871dcb748a79589dfb9206c8c26b1b31a59c6b5fd6e64801d8efc9cfdffb698