PDF static analysis report

Static analysis result for SHA-256 83307453c493df5d…

SUSPICIOUS

PDF

45.7 KB Created: 2021-05-19 14:20:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 4230cbcf1899dc82e86096f6cf579315 SHA-1: 1fca1041fec707a453fb66f696d19258a0bde8c9 SHA-256: 83307453c493df5dd4cb974052f0f791531ce13594a24014e9183db2d0899745
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs and a heuristic firing for an external URI, suggesting it is designed to redirect users to download potentially malicious content. The document body, though partially corrupted, contains references to game hacks and updates, indicating a lure for users seeking such content. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9507

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-update-2021-game-hack PDF link annotation
    • http://newbeginningsranch.net/images/get-free-robux-info_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/real-free-robux-generator_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/how-to-get-free-robux-for-real_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/roblox-com-redeem_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/hack-coin-master-mod-apk_GM406889139.pdfIn PDF document text
    • http://newbeginningsranch.net/images/free-robux-codes-2021_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/xray-hack_GM479516143.pdfIn PDF document text
    • http://newbeginningsranch.net/images/roblox-group-free-robux_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/coin-master-free-daily-spins-and-coins_GM406889139.pdfIn PDF document text
    • http://newbeginningsranch.net/images/roblox-fun-com-robux_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/free-spins-coin-master-app-ios_GM406889139.pdfIn PDF document text
    • http://newbeginningsranch.net/images/best-site-for-free-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • http://newbeginningsranch.net/images/coin-master-free-link-today_GM406889139.pdfIn PDF document text
    • http://newbeginningsranch.net/images/coin-master-invite-friends-free-spins_GM406889139.pdfIn PDF document text
    • http://newbeginningsranch.net/images/how-to-get-free-robux-no-human-verification_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/coin-master-20-free-spins-link-today_GM406889139.pdfIn PDF document text
    • http://newbeginningsranch.net/images/is-there-a-way-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/roblox-dominus-free_GM431946152.pdfIn PDF document text
    • http://newbeginningsranch.net/images/coin-master-free-spins-and-coins-2021_GM406889139.pdfIn PDF document text
    • http://newbeginningsranch.net/images/coin-master-hack-spins-and-coins-unlimited-free_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004d24.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4D24 24464 bytes
SHA-256: 3e0a5e27766cc66cd2ba2b9574fd3ec20615f0dd230b3278b37d1d0605a4c9a2
font_01_sfnt_off00008553.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8553 2880 bytes
SHA-256: 10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132
font_02_sfnt_off00008f3e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8F3E 18484 bytes
SHA-256: 2d3a472fcc561fc481c0da5969c31466f96864982e6dea6036c3c65c06d6ed28