PDF static analysis report

Static analysis result for SHA-256 a4aba99b8a28b608…

SUSPICIOUS

PDF

55.4 KB Created: 2021-05-17 21:29:04 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 3d768d5ef7e67bfd74fed2eb558fdc0a SHA-1: a720051be702604f3e10561d4d6d4e93962458c1 SHA-256: a4aba99b8a28b6085ffe308fa1b970ab31e863371ebb3d3a32b993d26a970f3c
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains multiple embedded URLs and a visual call-to-action, strongly suggesting a phishing or social engineering attempt. The document body and extracted URLs indicate a lure related to "Coin Master" game hacks, aiming to trick users into downloading potentially malicious applications or visiting further compromised sites. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8531

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/daily-coin-master-free-link-game-hack PDF link annotation
    • https://shimony.net/images/mcpe-master-coin-hack-apk_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/coin-master-free-coins-and-spins-link-2021_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/hack-version-of-coin-master-apk-download_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/how-to-get-free-spins-on-coin-master-2021_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/coin-master-unlimited-free-spins-link-2021_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/coin-master-el-tiger-card-free_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/coin-master-free-spins-link-2021-today_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/robux-generator-no-verification-2021_GM431946152.pdfIn PDF document text
    • https://shimony.net/images/how-to-win-attack-madness-in-coin-master-hack_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/free-robux-2021-no-verification_GM431946152.pdfIn PDF document text
    • https://shimony.net/images/coin-master-hack-version-download-2021_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/how-to-hack-coin-master-game-ios_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/coin-master-free-spins-link-blogspot-april-2021_GM406889139.pdfIn PDF document text
    • https://shimony.net/images/free-robux-app_GM431946152.pdfIn PDF document text
    • https://shimony.net/images/robux-com-free-robux_GM431946152.pdfIn PDF document text
    • https://shimony.net/images/robux-free-gift-card-org-hack_GM431946152.pdfIn PDF document text
    • https://shimony.net/images/minecraft-pc-download-free-full-version_GM479516143.pdfIn PDF document text
    • https://shimony.net/images/free-robux-2021_GM431946152.pdfIn PDF document text
    • https://shimony.net/images/free-robux-without-downloading-apps_GM431946152.pdfIn PDF document text
    • https://shimony.net/images/how-to-get-free-robux-without-verification-or-surveys_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004ac6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4AC6 27200 bytes
SHA-256: 3421627be0e1a7ea78348d4b8ee76214f339984106c5be37e43e57806f3d8c49
font_01_sfnt_off000089a6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x89A6 3088 bytes
SHA-256: e7854aff7cbc8fbdeb85d2b3d6248d12dc820ede8a581f4eac107fa6446c2222
font_02_sfnt_off00009471.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9471 7960 bytes
SHA-256: cf7ae5cf6bef3222f5a26bec705b492fed0278aec6b16ec101aeda46e0edd2b2
font_03_sfnt_off0000a797.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA797 18304 bytes
SHA-256: b7b85e45b2e0fba94320617ceb2ece5ed3936c26fbb4efc42dbfdfbb85e9cc4e
font_04_sfnt_off0000c99d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC99D 4272 bytes
SHA-256: fac9a06ceb5574feb8580c075df3ef69dfbd0efa4947186cfe90f11b68eaafb0