PDF static analysis report

Static analysis result for SHA-256 4dfa158f42716a4a…

SUSPICIOUS

PDF

34.8 KB Created: 2021-06-19 04:16:19 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: c6f2984f5e9c39f100de4f8e86792c51 SHA-1: 287dd471410390a5d97e2e3e454dc4ebfda85bb5 SHA-256: 4dfa158f42716a4a3a4dce4f35324ccd1a5b40f41a99a41e9b5a2e11c13e6974
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains numerous URLs and text related to game cheats and hacks, strongly suggesting a lure for downloading malicious content. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were explicitly extracted, the presence of embedded URLs and the document's theme indicate a phishing attempt to trick users into downloading malware disguised as game cheats.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-noclip-hack-2021-game-hack PDF link annotation
    • http://www.shivintech.com/uploaded_files/userfiles/files/free-coin-master-cards_GM406889139.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/coin-master-hack-tool-2021_GM406889139.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/roblox-hacks-download-free-dll_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/free-minecraft-texture-packs_GM479516143.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/master-coin-free-link_GM406889139.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/kuso-icu-roblox-hack_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/how-do-i-get-robux_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/coin-master-spin-rewards_GM406889139.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/roblox-do-you-want-free-robux-ad_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/how-to-get-free-robux-easy-hack_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/free-printable-minecraft-coloring-pages_GM479516143.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/roblox-com-free_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/free-roblox-com_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/sites-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/rblx-gg-free-robux_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/daily-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/free-robux-with-no-human-verification_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/free-minecraft-maps_GM479516143.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/free-roblox-accounts-with-robux-discord_GM431946152.pdfIn PDF document text
    • http://www.shivintech.com/uploaded_files/userfiles/files/earn-free-spins-for-coin-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f73.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F73 22584 bytes
SHA-256: 19a202716d8353df1de44a150f70a93943fd27418e59b3aa0530af8ccba80f93
font_01_sfnt_off000061ef.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x61EF 19352 bytes
SHA-256: d8f77e8ded6863815401c014e942e461c6f0f1dc04c32625687430fb80bfa368