PDF static analysis report

Static analysis result for SHA-256 44f09faac4c6cbc5…

SUSPICIOUS

PDF

40.4 KB Created: 2021-05-24 01:05:43 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: e5d81fc9e5c3f70fb36d185c400d9eab SHA-1: cca772877dfd8c2898d1470f34f61c131b8bece6 SHA-256: 44f09faac4c6cbc513f18d7469d143bb23c55e0ae5f4e3a1ad4fda93907f41ca
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a call-to-action phrase, attempting to trick users into visiting malicious websites. The ML classifier also flagged the PDF as malicious. The presence of external URIs and the document's content suggest it is a lure for a scam or malware distribution, likely involving a JavaScript exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7718

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-websites-2021-game-hack PDF link annotation
    • http://efeikaiwa.net/images/free-stuff-on-roblox-2021_GM431946152.pdfIn PDF document text
    • http://efeikaiwa.net/images/free-robux-mod_GM431946152.pdfIn PDF document text
    • http://efeikaiwa.net/images/minecraft-free-no-virus_GM479516143.pdfIn PDF document text
    • http://efeikaiwa.net/images/tiktok-free-college-books_GM835599320.pdfIn PDF document text
    • http://efeikaiwa.net/images/spins-gratis-coin-master-hoy_GM406889139.pdfIn PDF document text
    • http://wolfzscriptsIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000339d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x339D 26672 bytes
SHA-256: e5658467c5856b0656453f0856c576055f6a9ce7d707047e3eaafe2d14f3bb12
font_01_sfnt_off000070d5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70D5 2832 bytes
SHA-256: 77ae1c4cffa647a8fd533dfa4102e94364989f9e80b9cd131876e9d1005899a2
font_02_sfnt_off00007a85.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7A85 18836 bytes
SHA-256: ef44fc6ccc8558fc54da3394cf76e38d99de94399ef86c3bb36f5b939f331685