PDF static analysis report

Static analysis result for SHA-256 969170920221ef6f…

SUSPICIOUS

PDF

46.4 KB Created: 2021-05-13 08:46:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: b401cdef95faa62c24188f1ef2075fd0 SHA-1: 10163a392dcf59d72ffdcdc8630cacbfdf9edd36 SHA-256: 969170920221ef6fd6789a166be586d3acea87d38a1141a71da4fa229fb56e48
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a lure related to 'Coin Master' free spins, directing users to a suspicious URL. The ML classifier also flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of embedded URLs and the overall structure suggest an attempt to redirect the user to a malicious site, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8948

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/free-spins-october-28-2021-coin-master-game-hack PDF link annotation
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-free-spins-link-2021-today_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/monttechscom-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/free-spins-and-coins-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/httpswwwurcouponsdealcom202103coinmasterfreespinandcoinlinkshtml_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-card-hack-apk_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/free-spin-and-daily-news-coin-master_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-free-spins-and-coins-app-download_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/robux-hack-2021_GM431946152.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/how-to-become-a-hacker-in-roblox_GM431946152.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-hack-2021_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-daily-free-rewards_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-hack-apk-july-2021_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-hack-xyz-download-free_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/free-400-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-daily-free-spins-link-today-2021_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/multiplayer-master-hack-coins_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/how-to-hack-roblox-accounts-passwords_GM431946152.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-hacks-for-gold-cards_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/20-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://www.woundcare4heroes.org.uk/uploads/files/files/coin-master-hack-using-lucky-patcher_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004f2e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4F2E 25084 bytes
SHA-256: 6713f4eeab8a17b101c8d784182a7aacd8b7ff1e00e8f1de5bd02864d9b36bd8
font_01_sfnt_off000087b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x87B4 2880 bytes
SHA-256: 10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132
font_02_sfnt_off0000919e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x919E 18656 bytes
SHA-256: ae43edb7d968773fa01f40288fe30e864a12c720900b1687a5763e30cc6382a2