PDF static analysis report

Static analysis result for SHA-256 4b6c46bb3f7a9b94…

SUSPICIOUS

PDF

54.9 KB Created: 2021-05-11 14:55:08 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 231f2ac1f8e41800021a293e70d304fd SHA-1: d4ae20fea345c317d2fc2143f9bc8106b39ae3ef SHA-256: 4b6c46bb3f7a9b94844a74eea571070021abc899e77b896bc507ddf601df4ca6
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and text that promote "hacks" for popular games, aiming to trick users into downloading malicious content. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs further supports a malicious intent to redirect users to potentially harmful sites. No scripts were extracted from this sample, but the overall pattern suggests a downloader or redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8531

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-hack-spin-ios-game-hack PDF link annotation
    • http://polycraft.ae/uploaded_files/userfiles/files/free-minecraft-capes_GM479516143.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/free-robux-giveaway_GM431946152.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/coin-master-daily-free-spin-and-coin-link-haktuts_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/free-coin-spin_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/coin-master-hack-spins-and-coins-unlimited-free_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/coin-master-hack-spin-160-pro_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/coin-master-free-stuff_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/coin-master-tiradas-gratis-link_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/free-spins-coin-master-android_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/coin-master-time-hack_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/apps-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/coin-master-free-spins--spins_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/roblox-how-to-get-free-clothes_GM431946152.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/robux-for-surveys_GM431946152.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/daily-coin-master-free-spin-link-facebook_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/www-rbxhut-com_GM431946152.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/free-robux-that-actually-works-2021_GM431946152.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/coin-master-real-free-spins_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/free-coins-and-spins-for-coin-master-game_GM406889139.pdfIn PDF document text
    • http://polycraft.ae/uploaded_files/userfiles/files/buy-robux-free_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004aba.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4ABA 26360 bytes
SHA-256: cb478cbf17b1e4c762db0b065309d85affae427b00f769ad2b63358a0621fac3
font_01_sfnt_off000088d2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x88D2 3088 bytes
SHA-256: e7854aff7cbc8fbdeb85d2b3d6248d12dc820ede8a581f4eac107fa6446c2222
font_02_sfnt_off0000939d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x939D 7960 bytes
SHA-256: cf7ae5cf6bef3222f5a26bec705b492fed0278aec6b16ec101aeda46e0edd2b2
font_03_sfnt_off0000a6c3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA6C3 17892 bytes
SHA-256: 8a2199a6fb9e6551992738fdb7d2625a8f143b5a9fef4499610b6e02eb0e5450
font_04_sfnt_off0000c7a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC7A9 4272 bytes
SHA-256: fac9a06ceb5574feb8580c075df3ef69dfbd0efa4947186cfe90f11b68eaafb0