PDF static analysis report

Static analysis result for SHA-256 9cc33694bf0e7b80…

SUSPICIOUS

PDF

38.6 KB Created: 2021-05-24 02:36:37 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 07f07aa9507da85b16584a6e45d17a35 SHA-1: d59908060d18e9ae525e3870001ec6ff4f2cb6f1 SHA-256: 9cc33694bf0e7b8009c110041fc85c55437cceeb2df54fd8f37032a18d4d804a
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a primary external URI pointing to domains associated with game hacks and cheats. The ML classifier strongly flagged this PDF as malicious, and the document body, though partially corrupted, suggests a lure for free game accounts. The presence of embedded links and the overall context indicate an attempt to trick the user into downloading a potentially malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/free-minecraft-java-account-game-hack PDF link annotation
    • http://yucaboats.com/images/hack-coin-master-apk-download_GM406889139.pdfIn PDF document text
    • http://yucaboats.com/images/minecraft-life-hacks_GM479516143.pdfIn PDF document text
    • http://yucaboats.com/images/how-to-get-free-robux-on-phone-2021_GM431946152.pdfIn PDF document text
    • http://yucaboats.com/images/coin-master-hack-spins-download_GM406889139.pdfIn PDF document text
    • http://yucaboats.com/images/roblox-data-breach_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003233.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3233 24920 bytes
SHA-256: 2e84887143c4f289150021eeb7a4eda3d4a67738fe99aa4c9c95937fd15bc6fa
font_01_sfnt_off00006b84.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6B84 3048 bytes
SHA-256: 7aed23e3b68cab7de2c2aefefb33ea4a9986b96cd09e362fef58ffc656ee58fc
font_02_sfnt_off00007603.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7603 18128 bytes
SHA-256: ad2a0848393495eee102bd1b36be1bc15cd9afc8a8e02692ab65cad6db8d4212