PDF static analysis report

Static analysis result for SHA-256 98464aadbc813c6a…

SUSPICIOUS

PDF

33.3 KB Created: 2021-06-22 21:10:36 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: c8a8e57e26277d45518c3408e067db31 SHA-1: 7aa7673f8beced467574d4f773a9113e138da0b1 SHA-256: 98464aadbc813c6a20cde385e6a9f6b1a72b9d3d4407f4cff3d78da0aac7b60c
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and text that lure users into clicking links related to game hacking and cheats. The ML classifier strongly flagged this PDF as malicious, indicating a high probability of it being used for phishing or malware distribution. The primary URL, http://netcdn.co/app/431946152/how-to-hack-into-someones-roblox-account-game-hack, is likely the destination for a payload or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9824

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/how-to-hack-into-someones-roblox-account-game-hack PDF link annotation
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/hacks-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/free-coins-coin-master_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/free-robux-clothes_GM431946152.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/get-free-robux-without-human-verification_GM431946152.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/blogspot-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/get-free-spins-coin-master-2021_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/coin-master-hack-apk-2021-download_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/coin-master-200-spin-link_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/coin-master-hack-2021-android_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/free-coins-coin-master-blog_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/how-to-hack-coin-master-ios-2021_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/how-to-get-minecraft-for-free-on-computer_GM479516143.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/free-coin-master-spins_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/minecraft-apk-114-4_GM479516143.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/coin-master-download-hack-ios_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/como-hackear-coin-master-2021_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/daily-coin-master-free-spin-link_GM406889139.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/how-to-get-free-robux-without-verifying-2021_GM431946152.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/uprobuxcom-free-robux_GM431946152.pdfIn PDF document text
    • https://www.salcsinstallations.co.uk/admin/ckfinder/userfiles/files/pokemon-go-free-or-armored-mewtwo_GM1094591345.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c5f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2C5F 21844 bytes
SHA-256: d84fc95c353584c9d0bc3b8a1929b53a87a1b4a983e8dc4bda9d1383eb660f12
font_01_sfnt_off00005c8e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5C8E 19324 bytes
SHA-256: 24cbb78c2e4d02f15d6dff94c04074d97d349401c8d74d3264b26149d869587d