PDF static analysis report

Static analysis result for SHA-256 6f0086a9c7871200…

SUSPICIOUS

PDF

31.2 KB Created: 2021-07-21 23:22:51 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: b3383e376c2386331da86749c8e41b28 SHA-1: fb0af00b8ca70fa384a0c29019ca27989bbcfbe9 SHA-256: 6f0086a9c787120025e5bef7d9c52b4787c0de3221d045b3be445dd94d39f937
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a call-to-action phrase, strongly suggesting a phishing or social engineering attempt. The ML classifier also flagged this PDF as malicious. The primary URL points to a "minecraft-free-online-game-hack", indicating a lure for game-related cheats or exploits. No scripts were extracted, but the presence of external URIs and the ML detection suggest the document is designed to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9893

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/479516143/minecraft-free-online-game-hack PDF link annotation
    • http://rushxpress.de/images/free-tiktok-coins_GM835599320.pdfIn PDF document text
    • http://rushxpress.de/images/how-to-get-robux-for-free-2021_GM431946152.pdfIn PDF document text
    • http://rushxpress.de/images/free-robux-hack-generator_GM431946152.pdfIn PDF document text
    • http://rushxpress.de/images/free-minecraft-skin-maker_GM479516143.pdfIn PDF document text
    • http://rushxpress.de/images/free-robux-codes_GM431946152.pdfIn PDF document text
    • http://rushxpress.de/images/minecraft-java-edition-redeem-code-free-2021_GM479516143.pdfIn PDF document text
    • http://rushxpress.de/images/minecraft-for-free-on-phone_GM479516143.pdfIn PDF document text
    • http://rushxpress.de/images/free-coins-coin-master_GM406889139.pdfIn PDF document text
    • http://rushxpress.de/images/minecraft-bedrock-hacks_GM479516143.pdfIn PDF document text
    • http://rushxpress.de/images/minecraft-apk-free-download_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000029e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x29E5 21908 bytes
SHA-256: bfe821651b13e4da748c9fa0aa1c5093e5223b9f9f24e7ac12693f003b04dc37
font_01_sfnt_off00005a0e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5A0E 17644 bytes
SHA-256: d3a8b3d8bd2249c6206e1557dca74d08ec9c3b58c2328dc4779a04ae87c22ca2