PDF static analysis report

Static analysis result for SHA-256 9df3cc63ce4ed6db…

SUSPICIOUS

PDF

35.6 KB Created: 2021-05-10 11:31:16 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-01
MD5: 7a2ec5c7182ad659437e7ee9844ff29e SHA-1: d5e4d2888a91627a77552e269b358681c62a8562 SHA-256: 9df3cc63ce4ed6db88d316f713ee96eabac3d37d426a555a57152de6caacf20c
36 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious Link

This PDF document was flagged as suspicious by an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7588

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/hack-coin-master-3.4.3-apk-game-hack PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000343f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x343F 24784 bytes
SHA-256: cdafd197bc1e509ae5ea2f596e7ed7e62c507a81de8208206f276dcf5ba99b50
font_01_sfnt_off00006cc2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6CC2 18196 bytes
SHA-256: c3b275253d9351e2e74b82a9dafc4156583904968b89422ea15a6a95515ae557