PDF static analysis report

Static analysis result for SHA-256 458bee9578a9c790…

SUSPICIOUS

PDF

33.9 KB Created: 2021-07-06 04:55:28 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 0ff98537bacce1ea0e31b15ebc8b3327 SHA-1: bec30c48a6c21a1525dc560754ca6987edcfd733 SHA-256: 458bee9578a9c790a3a0184ed645af63da5f3e4ad19b763c4db673b7524f073d
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier strongly flagged this PDF as malicious. The document body and embedded URLs promote 'hacks' and 'free coins' for popular games like Coin Master and Roblox, indicating a lure for potentially malicious content. The presence of external URIs suggests the document is designed to redirect users to external sites for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/how-to-get-more-free-coins-on-coin-master-game-hack PDF link annotation
    • https://mtsn1siak.com/__statics/gudangsoal/files/how-to-get-free-robux-codes-2021_GM431946152.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/free-spins-and-coins-com_GM406889139.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/how-to-actually-get-free-robux_GM431946152.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/xray-hack_GM479516143.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/can-you-get-minecraft-for-free-on-pc_GM479516143.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/roblox-hack-ga_GM431946152.pdfIn PDF document text
    • https://www.mtsn1siak.com/__statics/gudangsoal/files/free-coin-master-coins_GM406889139.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/coin-master-free-spins-only_GM406889139.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/how-to-hack-injustice-roblox_GM431946152.pdfIn PDF document text
    • https://www.mtsn1siak.com/__statics/gudangsoal/files/how-to-create-a-minecraft-server-for-free_GM479516143.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/tampermonkey-roblox-robux-hack_GM431946152.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/roblox-rewards-robux_GM431946152.pdfIn PDF document text
    • https://www.mtsn1siak.com/__statics/gudangsoal/files/roblox-a-free-model-makes-me-teleport-to-another-game_GM431946152.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/free-robux-no-verification-no-download-2021_GM431946152.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/coin-master-hack-2021-app_GM406889139.pdfIn PDF document text
    • https://www.mtsn1siak.com/__statics/gudangsoal/files/omega-hack-roblox_GM431946152.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/free-masks-in-roblox_GM431946152.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/coin-master-rewards-free-spins_GM406889139.pdfIn PDF document text
    • https://www.mtsn1siak.com/__statics/gudangsoal/files/coin-master-free-spins-app_GM406889139.pdfIn PDF document text
    • https://mtsn1siak.com/__statics/gudangsoal/files/coin-master-100-spin-hack_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030c0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x30C0 22268 bytes
SHA-256: 10fc420e96b482c17a5eeec1f88f4a881aeddf1cec79d37afb7465b60939d190
font_01_sfnt_off0000620d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x620D 18164 bytes
SHA-256: 87539b2ce36dbba66f075720f9556e36c071cb06377775487ffba75d6ed8d31d