PDF static analysis report

Static analysis result for SHA-256 6fee6970f78f8a90…

SUSPICIOUS

PDF

35.4 KB Created: 2021-07-05 20:00:56 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: dba9628d80b9efcb3d30689fc77f5641 SHA-1: 14a9b7eddc2071542ac479ed370e17c2e828765f SHA-256: 6fee6970f78f8a9077687298dd3eb224dee4fd6a9dee7bfa798217b877bf40d1
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a URL pointing to a download for a "hack-coin-master-apk". The presence of a "download button" heuristic and the ML classifier flagging the PDF as malicious strongly suggest this document is designed to trick users into downloading and executing potentially harmful software. The primary IOC is the direct download URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/hack-coin-master-apk-32-game-hack PDF link annotation
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/minecraft-114-4-download-free_GM479516143.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/easiest-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/robux-for-free-hack_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/counter-blox-roblox-offensive-aimbot-hack_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/roblox-lvl-7-script-executor-free-mac_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id//repository/how-to-get-free-robux-generator_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/robux-adder_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id//repository/how-to-get-free-robux-without-human-verification_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id//repository/free-spin-in-coin-master_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id//repository/how-to-get-free-robux-codes-2021_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/beta-this-obby-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/mad-city-roblox-hack-script-pastebin_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id//repository/claimrbx-free-robux_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/how-to-get-free-robux-easy_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id//repository/how-to-play-coin-master_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/coin-master-mod-version-free-download-ios_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id//repository/robux-hack-no-verification_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/roblox-adopt-me-hack-script-pastebin-2021_GM431946152.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id//repository/coin-master-free-online-game_GM406889139.pdfIn PDF document text
    • http://perpustakaan.poltekkespangkalpinang.ac.id/repository/hack-roblox-injector_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003403.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3403 22860 bytes
SHA-256: 478fc9c4dcb209f1261ac6fad497e8e06a838f7f16a55256fa1d81e9a338e006
font_01_sfnt_off00006715.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6715 18480 bytes
SHA-256: 82043cd03fcb91cdae9089e060db25798972bbdf1481bdd3256787c2d2233951