PDF static analysis report

Static analysis result for SHA-256 496e0276c6b3c485…

SUSPICIOUS

PDF

39.4 KB Created: 2021-05-20 17:08:27 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 45ba366dd033bc135f4fdce30b14f220 SHA-1: 26dff66e9ff5377e62d679f165c414791a0faa3d SHA-256: 496e0276c6b3c485fc6fe2c6efff287937fe295e28f6bb2a987cb1d7f55d1673
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains multiple embedded URLs and a visual call-to-action button, strongly suggesting a phishing or scam attempt. The ML classifier also flagged the PDF as malicious. The content focuses on game hacks and free spins, aiming to trick users into clicking malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-free-spins-link-2021-game-hack PDF link annotation
    • https://elearning.manpaba.sch.id/__statics/gudangsoal/files/coin-master-daily-free-spins-and-coins-2021_GM406889139.pdfIn PDF document text
    • https://elearning.manpaba.sch.id/__statics/gudangsoal/files/2021-no-human-verification-hack-for-coin-master_GM406889139.pdfIn PDF document text
    • https://elearning.manpaba.sch.id/__statics/gudangsoal/files/roblox-robux-hack-generator_GM431946152.pdfIn PDF document text
    • https://elearning.manpaba.sch.id/__statics/gudangsoal/files/coin-master-hack-without-root_GM406889139.pdfIn PDF document text
    • https://elearning.manpaba.sch.id/__statics/gudangsoal/files/minecraft-windows-10-hacks_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000330c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x330C 26784 bytes
SHA-256: aa1ad22bf260c020b5d2d8f2db9f06cd161691c197123f32ad534afe177bfbe8
font_01_sfnt_off00006e1e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6E1E 2820 bytes
SHA-256: 96a70491b0783ad8c6fc9b11a18f021aa22c69ac41ee4499b781d16a1b99b689
font_02_sfnt_off000077be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x77BE 18456 bytes
SHA-256: 405c435adaafa0da304b7a4986d8f56c56dc87ed278d5cff2ac0c57977d8d7e3