PDF static analysis report

Static analysis result for SHA-256 b7f06d04823028d2…

SUSPICIOUS

PDF

45.9 KB Created: 2021-06-07 05:53:30 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 12e65fd8280b93f1c89f429add84b8e5 SHA-1: 7f09a35587547acb6da3132588e9002f3915a24f SHA-256: b7f06d04823028d23ee3c928a4c1260f3bb2b22ac679c99d373a619f17045665
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier strongly indicated maliciousness, and the document body contains numerous URLs related to game exploits and free currency. These URLs likely lead to malicious downloads or further phishing attempts, aligning with a common lure-based attack pattern. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9864

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/coll-roblox-game-to-hack-game-hack PDF link annotation
    • http://io24.com.ar/images/free-roblox-money_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/daily-free-spins-for-coin-master_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/robux-without-verification_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/free-robux-no-download_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/coin-master-code-for-free-spins_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/promo-code-free-robux_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/cheat-command-terminal-railways-roblox-admin-pass_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/coin-master-hack-2021-apk-download_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/how-to-get-free-robux-roblox-2021-august_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/coin-master-spins_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/download-hack-coin-master_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/coin-master-free-spins-1-coin-master_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/robux-boost_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/minecraft-pe-free-apk_GM479516143.pdfIn PDF document text
    • http://io24.com.ar/images/roblox-com-hack_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/how-to-get-a-free-dominus-in-roblox_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/free-spins-for-coin-master-on-1-19-19_GM406889139.pdfIn PDF document text
    • http://io24.com.ar/images/how-to-download-minecraft-java-edition-for-free_GM479516143.pdfIn PDF document text
    • http://io24.com.ar/images/como-ser-hacker-en-roblox-jailbreak_GM431946152.pdfIn PDF document text
    • http://io24.com.ar/images/coin-master-free_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005139.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5139 26884 bytes
SHA-256: 30c5d2d28b7764897d1a2beae90485a797df8eef263d17cd4d5cfb0f0ba7a574
font_01_sfnt_off00009052.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9052 18440 bytes
SHA-256: 46bfbe031e6cc0e04303b6181b9b242882f6c10c86bb3b859b5be56326d143cc