PDF static analysis report

Static analysis result for SHA-256 7f85136479b80950…

SUSPICIOUS

PDF

34.1 KB Created: 2021-07-10 02:50:05 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 9b80deab876d8d418a4dfdc492025f68 SHA-1: d1b86aaf94e348d165fc7bd512c552b6e434cfcf SHA-256: 7f85136479b8095049efc7e3aa194ceb4a36399850b165f8b6e0ee05250c47a1
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains an embedded URL pointing to a game hack, and the ML classifier strongly indicates maliciousness. The document body, though truncated, also contains references to game hacks and download links. This suggests the file is designed to trick users into downloading a second-stage payload, likely malware, by posing as a cheat or hack for popular games.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/spin-coin-game-hack PDF link annotation
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/how-to-get-free-robux-hack_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/how-to-get-free-robux-glitch-with-only-inspect_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/free-spins-generated-from-coin-master_GM406889139.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/coin-master-hack-version-download-ios_GM406889139.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/roblox-hack-apk-download-android_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/how-to-get-free-robux-with-no-verification_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/hack-de-roblox-2021-descargar_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/how-to-hack-roblox-passwords_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/coin-master-daily-free-spin-app_GM406889139.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/coin-master-hacks-no-verification_GM406889139.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/free-spins-coin-master-2021-hack_GM406889139.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/robux-hack-2021_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/get-free-robux-2021_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/minecraft-pe-015-0-apk-free-download_GM479516143.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/coin-master-hack-with-facebook-login_GM406889139.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/minecraft-build-hacks_GM479516143.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/coin-master-spin-rewards_GM406889139.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/pokemon-brick-bronze-roblox-cheats_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/free-roblox-accounts-2021-august_GM431946152.pdfIn PDF document text
    • https://darulfalah-tulungagung.com/__statics/gudangsoal/files/how-to-hack-coin-master-without-root_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000030bf.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30BF 22840 bytes
SHA-256: 4e21b773963bcf98d9d1f09caebf8a6bf9b553eda9dc7de530d381e2ce38455b
font_01_sfnt_off000063e2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x63E2 17908 bytes
SHA-256: b68420fea77245169a4148fb81a2a69b43defff413f27b9c268d76ec53e932b8