PDF static analysis report

Static analysis result for SHA-256 7e373e29a4b06549…

SUSPICIOUS

PDF

37.5 KB Created: 2021-05-20 17:00:48 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 97b82bd8c25169c4eb4d4d4a9e77d3c9 SHA-1: d694bb4dfebfc81f31a8c27215b0ecde69bb5281 SHA-256: 7e373e29a4b0654994d4472ce57022eee71120320e4bd1eee7c74588ce93bbaf
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded URLs and a visual download button lure, suggesting an attempt to trick the user into visiting a malicious site. The ML classifier strongly flagged this PDF as malicious. The document body and embedded URLs point towards a lure related to game hacks and free in-game currency, which is a common social engineering tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-play-minecraft-with-friends-for-free-game-hack PDF link annotation
    • http://sbm-nn.ru/images/hack-coin-master-spin_GM406889139.pdfIn PDF document text
    • http://sbm-nn.ru/images/get-free-robux-without-doing-anything_GM431946152.pdfIn PDF document text
    • http://sbm-nn.ru/images/how-to-hack-coin-master-root_GM406889139.pdfIn PDF document text
    • http://sbm-nn.ru/images/free-robux-no-human-verification-or-survey_GM431946152.pdfIn PDF document text
    • http://sbm-nn.ru/images/best-way-to-get-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003761.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3761 24972 bytes
SHA-256: 8280343edad67d7d0f0826d2bae9c4498dd632163e1e3d210dd1c81cf547dba7
font_01_sfnt_off00006fb0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6FB0 18820 bytes
SHA-256: 929f662ac2eae5fd14fa3d9c39139152715d90a6a2f974c19280ca038199c6c7