PDF static analysis report

Static analysis result for SHA-256 6bb4b4a688ddb6ad…

SUSPICIOUS

PDF

44.8 KB Created: 2021-05-10 19:08:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 5abdad60b502108bb17dbf62092d75d4 SHA-1: 8dcc5b6a3ef6c20cd4216b480e19b179ae9cf792 SHA-256: 6bb4b4a688ddb6ad4e16d4ec8c3223e558e49f119a069c3c25c6a90f996112eb
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier strongly indicates maliciousness, and the document body contains lures for game cheats and free currency. Several embedded URLs point to suspicious domains, suggesting the PDF is designed to redirect users to potentially malicious sites for further exploitation or malware delivery. No scripts were extracted, but the presence of external URIs and the ML classification point to a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9696

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/legit-coin-master-hack-site-zyngaplayerforums.com-game-hack PDF link annotation
    • http://agritrade-ukraine.com/images/daily-free-spins-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/free-spins-coin-master-daily_GM406889139.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/coin-master-free-spin-and-coin-link-today_GM406889139.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/get-free-spins-link-in-coin-master_GM406889139.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/demon-roblox_GM431946152.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/free-robux-no-human-verification-generator_GM431946152.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/free-robux-codes-generator_GM431946152.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/coin-master-free-online-game_GM406889139.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/microsoft-roblox_GM431946152.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/best-way-to-hack-coin-master_GM406889139.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/aternos-free-minecraft-server_GM479516143.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/roblox-character-free_GM431946152.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/free-roblox-accounts-with-robux-that-work-not-banned-2021_GM431946152.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/free-robux-promo-codes-2021_GM431946152.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/hack-free-spin-coin-master_GM406889139.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/toolbox-for-minecraft-pe-ios_GM479516143.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/free-robux-no-survey-or-human-verification_GM431946152.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/where-can-i-get-free-spins-for-coin-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000478f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x478F 25136 bytes
SHA-256: 3d304928f4fbd6656b53688bf4a67934b0dbc0fa8cb372db5d9daa0c1b70a24a
font_01_sfnt_off000080bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x80BB 2820 bytes
SHA-256: 96a70491b0783ad8c6fc9b11a18f021aa22c69ac41ee4499b781d16a1b99b689
font_02_sfnt_off00008a5c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8A5C 18996 bytes
SHA-256: c7201ec4c3a8de5860eeb2e6c9e6c90ee147184e9a3338a06e2bc3af5219e027