PDF static analysis report

Static analysis result for SHA-256 ace7340cbc7f85b4…

SUSPICIOUS

PDF

33.3 KB Created: 2021-06-18 09:44:09 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 0a18f95ca643fa80e41453d4655af737 SHA-1: 7ddaba71de3efdda33b2f21953df2af95fad9b11 SHA-256: ace7340cbc7f85b4b9bfe1a7569f14bbfb90c085145adab16f7bede6fe5236ee
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The ML classifier strongly flagged this PDF as malicious. The document body and embedded URLs promote free game hacks and generators for popular games like Roblox and Coin Master. The presence of multiple URLs pointing to similar lures suggests a campaign to trick users into downloading potentially unwanted or malicious software.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/roblox-free-play-no-app-game-hack PDF link annotation
    • http://perpustakaan.akper-serulingmas.ac.id/repository/pokemon-go-free-gifts_GM1094591345.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/coin-master-generator-hack_GM406889139.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/roblox-army-free-robux_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/free-roblox-wing_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/how-do-i-hack-roblox-accounts_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/free-legit-robux-2021_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/free-apk-mod-coin-master_GM406889139.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/moonactive-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/coin-spin_GM406889139.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/can-you-get-hacked-on-roblox-with-2-step-verification_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/how-to-get-free-coins-and-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/hack-coin-master-mod-apk_GM406889139.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/minecraft-hacks-ps4_GM479516143.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/original-roblox_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/how-to-get-free-robux-fast-and-easy-2021_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/easy-free-robux-com_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/real-free-robux-generator_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/roblox-free-hats_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/free-robux-generator-no-human-verification-2021_GM431946152.pdfIn PDF document text
    • http://perpustakaan.akper-serulingmas.ac.id/repository/websites-that-give-free-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e9b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E9B 21096 bytes
SHA-256: e621bdca4dc102dea97206964f9d9e2df64cea0b17811d75d3b47224cd72b666
font_01_sfnt_off00005c85.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5C85 19160 bytes
SHA-256: 2768f3017ba5fe0adb7d97ddba6bedd21be5c50bfe27aba8a6010ff1a6dee784