PDF static analysis report

Static analysis result for SHA-256 75062e962c06f832…

SUSPICIOUS

PDF

33.8 KB Created: 2021-07-09 20:11:06 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: de78f79175c764c0d434239085c49f8f SHA-1: 872514c40ccba1793f51862f2e4bce5f3a08f6d8 SHA-256: 75062e962c06f832cae6252e42a34813188896a112e6a587f70f97796e35c6d4
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and text promoting game hacks and cheats, aiming to trick users into downloading malicious files. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs further supports a malicious intent to redirect users to potentially harmful content. No scripts were extracted, but the document's structure and content suggest it's a lure for malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/roblox-piano-hack-game-hack PDF link annotation
    • https://xiangquan.com.tw/image/data/files/moon-active_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/roblox-hacks-x-ray-2021_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-cheats-2021_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/inside-the-world-of-roblox-pdf-free-download_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-free-spins-link-blogspot_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-hack-ios-2021_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/get-more-robux_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/get-free-robux-com_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-links-for-free-spins_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/free-minecraft-server-hosting_GM479516143.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/roblox-studio-free_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/free-robux-real-2021_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/how-to-get-free-robux-easy_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/free-attacks-on-coin-master_GM406889139.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/roblox-robux-hack-page_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/f3x-hack-roblox_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/minecraft-hacked-client-download_GM479516143.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/roblox-free-robux-codes_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/free-robux-not-fake_GM431946152.pdfIn PDF document text
    • https://xiangquan.com.tw/image/data/files/coin-master-free-spin-facebook-link_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e1c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E1C 22280 bytes
SHA-256: 4ca820249da855a3375727440a07494e20ab3051d910aa22a85e03f82212ee82
font_01_sfnt_off00005f7b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5F7B 18932 bytes
SHA-256: bea12f5c1905fe5d1ca5acd369b45985eddae9fbbbe34fc32947a46404ebe472