PDF static analysis report

Static analysis result for SHA-256 a1a7274a3910074c…

SUSPICIOUS

PDF

43.5 KB Created: 2021-06-10 23:43:36 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 50156b5f66e6113bf6ecac38c87ffbd9 SHA-1: 6efa77ae71ad7027e0c655b8e9864a83ebff0f0b SHA-256: a1a7274a3910074ce66223f6e651baf251345047ae7195c2b6498c8d9a09505b
54 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded URLs and a document body that references 'Roblox Hacking Community' and 'game hack', suggesting a lure for users interested in such topics. The ML classifier strongly flagged this PDF as malicious. The presence of external URIs and an IP literal URI indicates an attempt to redirect the user to malicious content, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 3

  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/discord-server-roblox-hacking-community-game-hack PDF link annotation
    • http://103.30.145.97/__statics/gudangsoal/files/roblox-place-rewards_GM431946152.pdfPDF link annotation
    • http://103.30.145.97/__statics/gudangsoal/files/free-robux-codes-2021_GM431946152.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/coin-master-free-spins-ios-2021_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/daily-coin-master-free-spin-link_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/how-to-get-minecraft-coins-for-free_GM479516143.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/http-appsmob-info-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/free-roblox-accounts-that-work_GM431946152.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/free-coin-master-spins-link-facebook_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/coin-master-hoe-to-get-extra-free-spins_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/free-coin-master-links_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/free-games-like-coin-master_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/is-minecraft-free-on-computer_GM479516143.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/minecraft-free-download-mac_GM479516143.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/minecraft-free-version-pc_GM479516143.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/coin-master-free-spins-hack-iphone_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/coin-master-attack-hack_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/coin-master-hack-free-spins_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/coin-master-free-account_GM406889139.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/robux-free-c_GM431946152.pdfIn PDF document text
    • http://103.30.145.97/__statics/gudangsoal/files/free-robux-clothes_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000055d9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x55D9 28108 bytes
SHA-256: 47ef0cf969441c7f5369d1b4db099f9786f68b35c3ef563b60f6555b23027a22
font_01_sfnt_off000097f9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x97F9 7420 bytes
SHA-256: 0b188308ab0e7ffce9913d63d697a586f2937cafc51a771db38e3a566cd37e24