PDF static analysis report

Static analysis result for SHA-256 b5e7b6ccb0dc3a0a…

SUSPICIOUS

PDF

33.2 KB Created: 2021-06-25 13:17:52 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: b6fe5427111992668ac865dd499dc025 SHA-1: 3ca2f9741993a36f26ac743c88500c115858267f SHA-256: b5e7b6ccb0dc3a0a398975eb90e17deac64cbcba64fa65eecb7216ce2cb8568c
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and text that promote 'hacks' for popular games, aiming to trick users into downloading malicious content. The ML classifier strongly indicated maliciousness, and the presence of external URIs suggests an attempt to redirect users to a download site. No scripts were extracted, but the overall pattern is consistent with a phishing lure designed to deliver a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9824

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/give-robux-hack-game-hack PDF link annotation
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/roblox-bit-slicer-hacks_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/how-to-hack-roblox-for-robux_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/roblox-cheats-admin-commands_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/roblox-download_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/earn-free-robux_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/coin-master-spin-link-hack_GM406889139.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/roblox-free-robux-website_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/hack-mod-coin-master_GM406889139.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/coin-master-hack-spins-apk_GM406889139.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/black-tank-top-roblox-free_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/coin-master-hack-apk_GM406889139.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/roblox-free-robux-no-human-verification_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/coin-master-free-spins-link-2021-twitter_GM406889139.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/minecraft-sign-up-free_GM479516143.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/coin-master-computer-hack_GM406889139.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/what-to-do-if-my-roblox-account-gets-hacked_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/coin-master-hack-version-apk-download_GM406889139.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/roblox-sued_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/roblox-jailbreak-hack_GM431946152.pdfIn PDF document text
    • https://www.shoppingmart.ie/uploaded_files/userfiles/files/https-oprewards-com-roblox_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002b3a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2B3A 22436 bytes
SHA-256: aa1af7929f659a28d3f1d1842efa88ce6f4ca0fd86da11594a75b69f97a75f2d
font_01_sfnt_off00005d34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5D34 18956 bytes
SHA-256: 888ae428fbabb51713d2dc60b0c5b035ebbc0cf1ce1c3b1948bea3b224a8a75b