PDF static analysis report

Static analysis result for SHA-256 379c75cdfa0ca215…

SUSPICIOUS

PDF

44.7 KB Created: 2021-05-16 09:08:21 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: e7c1f59c18dc32a44345e1f831cbacf8 SHA-1: 8bb0a444d0bd2f18dba61a6d63238efa5737c914 SHA-256: 379c75cdfa0ca21597fc7fdf63a2393cc047d1c19aeeb78baefc7a8e9645b2eb
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and text that promote downloading a "hack" for Coin Master, suggesting a lure for potentially unwanted or malicious software. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the presence of external URIs and the document's content strongly indicate an attempt to trick users into downloading a payload, likely via a spearphishing attachment vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9632

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/hack-coin-master-apk-3.2-download-game-hack PDF link annotation
    • http://axiapublishers.com/images/coin-master-free-pin_GM406889139.pdfIn PDF document text
    • http://axiapublishers.com/images/free-robux-generator-com-roblox-hack_GM431946152.pdfIn PDF document text
    • http://axiapublishers.com/images/free-google-play-promo-codes-coin-master_GM406889139.pdfIn PDF document text
    • http://axiapublishers.com/images/coin-master-hack-online-link_GM406889139.pdfIn PDF document text
    • http://axiapublishers.com/images/coin-master-spins_GM406889139.pdfIn PDF document text
    • http://axiapublishers.com/images/free-robux-generator-no-survey-no-download-no-human-verification_GM431946152.pdfIn PDF document text
    • http://axiapublishers.com/images/coin-master-spin-cheat_GM406889139.pdfIn PDF document text
    • http://axiapublishers.com/images/minecraft-reach-hack_GM479516143.pdfIn PDF document text
    • http://axiapublishers.com/images/minecraft-fly-hack_GM479516143.pdfIn PDF document text
    • http://axiapublishers.com/images/free-spins-for-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://axiapublishers.com/images/roblox-free-robux-codes_GM431946152.pdfIn PDF document text
    • http://axiapublishers.com/images/how-to-get-free-pet-food-on-coin-master_GM406889139.pdfIn PDF document text
    • http://axiapublishers.com/images/get-free-robux-without-doing-anything_GM431946152.pdfIn PDF document text
    • http://axiapublishers.com/images/roblox-com-www_GM431946152.pdfIn PDF document text
    • http://axiapublishers.com/images/websites-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://axiapublishers.com/images/wurst-client-18-9_GM479516143.pdfIn PDF document text
    • http://axiapublishers.com/images/can-you-really-hack-coin-master_GM406889139.pdfIn PDF document text
    • http://axiapublishers.com/images/how-to-get-free-roebucks-on-roblox_GM431946152.pdfIn PDF document text
    • http://axiapublishers.com/images/coin-master-free-coins-2021_GM406889139.pdfIn PDF document text
    • http://axiapublishers.com/images/http-bit-ly-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000048e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x48E5 23696 bytes
SHA-256: 658a06ac29d3eb986331c0996e7d2e05a31c69391154f0f9589be8471387d035
font_01_sfnt_off00007df4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7DF4 3468 bytes
SHA-256: c369f8da3885d5c8a6eef0cf136fa192c363ecda52e46681e28944aea5a816c4
font_02_sfnt_off00008a3b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8A3B 18836 bytes
SHA-256: d746a7c1c5cf5be311eddf8676cfb9402845d24e0d8fc8e00b27a1d9de62f851