PDF static analysis report

Static analysis result for SHA-256 4ea477e36f49e1f1…

SUSPICIOUS

PDF

34.9 KB Created: 2021-07-05 01:27:44 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: ba5cfc87c331d0e85c696fe274fbeced SHA-1: 9cca8d099d5c986fd875d9817c1effd99bf38513 SHA-256: 4ea477e36f49e1f18d1e04fba43cd22ddd01cb681c4a32b4c73f7edc66f8e442
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous links to external resources, with one prominent URL pointing to a download for 'hacked games'. The ML classifier strongly indicated maliciousness, and the presence of external URIs suggests the document is designed to redirect users to download potentially harmful files. No scripts were extracted from this sample, limiting the ability to determine specific execution methods.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/download-hacked-games-com-coin-master-game-hack PDF link annotation
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/coin-master-free-spin-whatsapp-group_GM406889139.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/rbx-free_GM431946152.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/coin-master-free-spins-link-blogspot_GM406889139.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/minecraft-apk-114_GM479516143.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/robux-fun-hack_GM431946152.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-roblox-gear_GM431946152.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/coin-master-hack-tool-v1-9-download-free-pc_GM406889139.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-robux-generator-2021_GM431946152.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/robux-hack-generator_GM431946152.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/how-can-i-play-minecraft-for-free_GM479516143.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/coin-master-strategy_GM406889139.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/roblox-hackers-list_GM431946152.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/coin-master-hack-spins-apk_GM406889139.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/roblox-com-robux_GM431946152.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/master-coin-free-link_GM406889139.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-robux-com-roblox_GM431946152.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm/repository/pubg-uc-carding-telegram_GM1330123889.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/free-minecraft-domain_GM479516143.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/blox-best-robux_GM431946152.pdfIn PDF document text
    • http://perpus.stikes-bhm.ac.id/perpusbhm//repository/how-to-get-free-coins-in-coin-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000030b5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30B5 22864 bytes
SHA-256: ce6998a45b9164ee56256001e6817fbb1e791276a4f0b3e350bcf1f86d4abd29
font_01_sfnt_off00006421.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6421 18844 bytes
SHA-256: d6bbba44fdf6698b8b7aa96d1af5e520d01dd7071d16206ec7b75659562237bd