PDF static analysis report

Static analysis result for SHA-256 75ccc728c5f8d5be…

SUSPICIOUS

PDF

53.1 KB Created: 2021-05-11 03:08:18 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 0491a43556fb11293a3c7b15a0e0d10f SHA-1: 117ae4914281cbc73df55af69ffe5cf4bcbf30fd SHA-256: 75ccc728c5f8d5be8198686946382d06fd9960496acb3ee9c4ebe09ef6e55378
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs that advertise free game currency or items, such as Minecraft Java or Robux. The ML classifier flagged this PDF as malicious with high confidence. The presence of these lures suggests an attempt to trick the user into downloading a second-stage payload, likely disguised as a game cheat or hack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9017

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-get-minecraft-java-free-game-hack PDF link annotation
    • http://psb.sd-alazhar29.sch.id/repository/free-robux-just-enter-username-and-password_GM431946152.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/coin-master-free-spin-whatsapp-group-link_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/coin-master-free-coins_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/roblox-free-robux-hack_GM431946152.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/free-robux-videos_GM431946152.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/tryrbx-site-free-robux_GM431946152.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/free-coin-coin-master_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/get-free-spins-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/daily-free-spins-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/coin-master-daily-free-spins-blogspot_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/get-coin-master-spins-free_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/roblox-redeem_GM431946152.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/free-spin-links-coin-master-october-30-2021_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/roblox-sexually_GM431946152.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/real-minecraft-for-free_GM479516143.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/coin-master-hack-version-33-2_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/coin-master-free-spins-link-31-march-2021_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/roblox-free-robux-no-human-verification_GM431946152.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/haktuts-free-spins_GM406889139.pdfIn PDF document text
    • http://psb.sd-alazhar29.sch.id/repository/coin-master-hack-spins-ios_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004d46.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4D46 25172 bytes
SHA-256: e56807e66616f7b4137a77cf22f0f62374dfa47971ee4a58cdd6144547c4a29a
font_01_sfnt_off000085f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x85F3 7936 bytes
SHA-256: 218d53b68bdddb064f6fba4be822d5b3725ed1cef1a3b42796a8dd99c4a62f4e
font_02_sfnt_off00009f1d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9F1D 4232 bytes
SHA-256: ab6320ab342704d2c5943abfba82ed4837bf2da871c91621741fd4cfd15c6ed5
font_03_sfnt_off0000adaa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xADAA 18152 bytes
SHA-256: f45ec97da20a8e70f6e7437c3ced33d3bcbd99aef5af4daf3be0ff08d51a9e58