PDF static analysis report

Static analysis result for SHA-256 a9efef0275a5636d…

SUSPICIOUS

PDF

46.3 KB Created: 2021-05-11 14:12:13 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 2e4b9e7ca9fa8b9ce556a07d2ba28a25 SHA-1: 03ed1fdfa5d01989e2adec78e1db85b6fce506a7 SHA-256: a9efef0275a5636d42fa077f76f87b9cfc033dcebbb79ffa22bdf39fb9446a2a
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded URLs pointing to sites offering game cheats and hacks, suggesting a lure for users to download further malicious content. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the presence of external URIs and the ML detection strongly indicate a malicious intent to trick users into downloading potentially harmful files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8696

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-toy-codes-free-game-hack PDF link annotation
    • http://charivne.info/ckfinder/userfiles/files/free-coins-on-coin-master-without-verification_GM406889139.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/roblox-mobile-hack_GM431946152.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/coin-master-spins-2021_GM406889139.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/how-to-get-free-robux-on-roblox-2021_GM431946152.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/free-robux-meme_GM431946152.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/coin-master-online-free-spin_GM406889139.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/coin-master-free-spins-and-coins-link-blogspot_GM406889139.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/robux-hack-generator_GM431946152.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/free-robux-no-human-verification-2021_GM431946152.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/robux-withdraw_GM431946152.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/free-minecraft-resource-packs_GM479516143.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/coin-master-free-spins-daily-fb-champion_GM406889139.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/is-there-any-way-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/daily-spin-coin-master-free_GM406889139.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/free-coins-coin-master-haktuts_GM406889139.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/how-to-hack-roblox-accounts-2021_GM431946152.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/coin-master-free-spins-hack-but-no-surveys_GM406889139.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/how-to-get-java-minecraft-free_GM479516143.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/coin-master-32-mod-hack-unlimited_GM406889139.pdfIn PDF document text
    • http://charivne.info/ckfinder/userfiles/files/tiradas-coin-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004dcd.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4DCD 25276 bytes
SHA-256: 663838754eae76017886250296d2ab006a3a391d4654433585f38f7ac760b685
font_01_sfnt_off00008826.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8826 2984 bytes
SHA-256: 2df87bbe4e27b27e34c872c092d0522acd977d05f5cbde7ed5e1fdfeb59cb318
font_02_sfnt_off00009274.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9274 18300 bytes
SHA-256: 3d5b3d92e216065c2c845e8efa57a9453f648cbb701c9c0f5d074002979813ea