PDF static analysis report

Static analysis result for SHA-256 351e14775fcb42aa…

SUSPICIOUS

PDF

46.6 KB Created: 2021-05-17 05:40:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: fb8c74740fd3965588e474d381377ceb SHA-1: 5613aa5054923ea64e9fa1e29182e2aea007cbf5 SHA-256: 351e14775fcb42aaedba3570b91e38a0639269188cb9b46cbc393175bd59a7d9
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded URLs and a prominent external URI pointing to game-related hacks, suggesting a lure for users to download potentially malicious files. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the presence of embedded URLs and the document's theme strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8948

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-free-attack-link-game-hack PDF link annotation
    • http://k2visual.com.br/images/how-to-get-minecraft-bedrock-for-free_GM479516143.pdfIn PDF document text
    • http://k2visual.com.br/images/best-free-minecraft-hacked-client_GM479516143.pdfIn PDF document text
    • http://k2visual.com.br/images/free-minecraft-account-reddit_GM479516143.pdfIn PDF document text
    • http://k2visual.com.br/images/roblox-download-pc-free_GM431946152.pdfIn PDF document text
    • http://k2visual.com.br/images/how-to-hack-any-roblox-account_GM431946152.pdfIn PDF document text
    • http://k2visual.com.br/images/working-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://k2visual.com.br/images/coin-master-app-hacks_GM406889139.pdfIn PDF document text
    • http://k2visual.com.br/images/coin-master-mod-apk-free-download-for-android_GM406889139.pdfIn PDF document text
    • http://k2visual.com.br/images/free-robux-images_GM431946152.pdfIn PDF document text
    • http://k2visual.com.br/images/roblox-imagine_GM431946152.pdfIn PDF document text
    • http://k2visual.com.br/images/coin-master-hack-2021_GM406889139.pdfIn PDF document text
    • http://k2visual.com.br/images/coin-master-hack-apk-with-fb-login_GM406889139.pdfIn PDF document text
    • http://k2visual.com.br/images/free-minecraft-skin-maker_GM479516143.pdfIn PDF document text
    • http://k2visual.com.br/images/get-more-robux_GM431946152.pdfIn PDF document text
    • http://k2visual.com.br/images/coin-master-daily-free-spins-link-facebook_GM406889139.pdfIn PDF document text
    • http://k2visual.com.br/images/coin-master-free-spins-link-download-today_GM406889139.pdfIn PDF document text
    • http://k2visual.com.br/images/free-robux-app-real_GM431946152.pdfIn PDF document text
    • http://k2visual.com.br/images/how-to-get-free-robux-easy_GM431946152.pdfIn PDF document text
    • http://k2visual.com.br/images/free-roblox-exploits_GM431946152.pdfIn PDF document text
    • http://k2visual.com.br/images/how-do-you-get-free-robux-on-roblox_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004d22.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4D22 26000 bytes
SHA-256: 1c97f3f4327e9837495c44b03ae1c231bf2b6c0fc2d26a8b6dfdf846b4b752d2
font_01_sfnt_off00008838.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8838 3652 bytes
SHA-256: 3c697a9e3e54ccf5b622af7e7811858cfd036d7bcdedbd98d717e6f432d54a26
font_02_sfnt_off0000951f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x951F 17880 bytes
SHA-256: 96402d2e96280801386aa337121127c59561cdc8f458ec32dbe1421b57db916e