PDF static analysis report

Static analysis result for SHA-256 3805c338c21e6ed2…

SUSPICIOUS

PDF

36.2 KB Created: 2021-06-26 19:24:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 3eea7f9f6791f9e15eaff45314af7a3b SHA-1: f933112c14e50d1cd5a2e993c55e483b4f9bc235 SHA-256: 3805c338c21e6ed2943884bfac6c5443e5177cb3b6fc1274537213db080be6ce
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a heuristic firing for an external URI, suggesting it is designed to redirect users to malicious websites. The document body's content, focusing on game hacks and cheating, serves as a lure to encourage clicks on these links. The ML classifier's high confidence score further supports the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/can-i-get-banned-from-a-roblox-game-for-cheating-game-hack PDF link annotation
    • http://library.yamasi.ac.id//repository/coin-master-free-spin-and-coins-links-2021_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/coin-master-hack-spins-download_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/roblox-tp-hack-ccv7_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/play-coin-master_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/free-op-minecraft-servers_GM479516143.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/robux-website_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/coin-master-twitter-free-spins_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/free-links-coin-master_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/roblox-hacks-mas-fuertes_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/coin-master-games-hack_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/como-hackear-coin-master-en-espaol_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/hacked-roblox-game_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/coin-master-spin-link-today-2021_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/coin-master-100-spin_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/free-clothes-for-roblox-2021-youtube_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/coin-master-free-spins-twitter_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/minecraft-java-edition-free-code_GM479516143.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/how-to-get-free-robux-on-roblox_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/free-roblox-shirt-templates_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/how-to-get-free-stuff-on-roblox-2021-mobile_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000033d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33D1 23328 bytes
SHA-256: 598b50e5277cc9ff7f34a5b24d28786cc3453370d303c0ef91bbc0109b574318
font_01_sfnt_off000067b7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x67B7 19472 bytes
SHA-256: 408dbd7a6cf19439e272b4f8ba36608832cae2be052d44155706d2a442de087f