PDF static analysis report

Static analysis result for SHA-256 acbb6cf60fed78c0…

SUSPICIOUS

PDF

41.1 KB Created: 2021-05-15 12:52:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: f0d9e5e60a87174f97271ff9c88f98bc SHA-1: 30d5f880de2b70c4157f0a75b800f096ddce11e8 SHA-256: acbb6cf60fed78c07039d2377fe1e7dd4447cf72be19ec6fdbec4f76ab45f3ae
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The ML classifier strongly indicated maliciousness, and the document body contains numerous embedded URLs related to game cheats and free currency. These URLs, along with the heuristic indicating a download button lure, suggest the document is designed to trick users into downloading a secondary payload. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-free-spin-game-hack PDF link annotation
    • http://shahriyarclimb.com/images/free-robux-codes-generator_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/get-robux-for-free-2021_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/free-roblox-accounts-with-robux-2021_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/free-dominus-roblox_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/minecraft-hacks-pc_GM479516143.pdfIn PDF document text
    • http://shahriyarclimb.com/images/free-robux-generator-without-human-verification_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/free-robux-no-verification-2021-android_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/coin-master-hack-software_GM406889139.pdfIn PDF document text
    • http://shahriyarclimb.com/images/http-bitly-coin-master-free-2021-spins_GM406889139.pdfIn PDF document text
    • http://shahriyarclimb.com/images/coin-master-heaven-free-spins-today_GM406889139.pdfIn PDF document text
    • http://shahriyarclimb.com/images/how-to-get-free-robux-2021-easy_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/apps-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/robux-com-free-robux_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/bloxawards-com-earn-free-robux_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/rblx-gg-free-robux_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/roblox-pink-free-robux_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/get-me-robux_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/codes-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/free-roblox-generator-for-roblox_GM431946152.pdfIn PDF document text
    • http://shahriyarclimb.com/images/free-spins-on-coin-master-app_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004900.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4900 24332 bytes
SHA-256: dfdf2242cf4d679244b42d0d14b582423e9e246d9a9761033b41d541a932bddc
font_01_sfnt_off000080a1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x80A1 17552 bytes
SHA-256: 8dab29753a5a72b3c6b7a99730aed283de919e10e0bbccf431f5836ef96af8e0