PDF static analysis report

Static analysis result for SHA-256 bf9f67429235f4d1…

SUSPICIOUS

PDF

48.1 KB Created: 2021-05-17 18:32:40 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: d06b756e8dc525e7bb75abbc34040bd9 SHA-1: 19a8233e377f9df2c373455dc7a3ddf47384aa71 SHA-256: bf9f67429235f4d159b73b9631bf74c98047c91c7453cf60c314ce0dcd937a0b
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and a visual call-to-action button, attempting to trick users into downloading content related to game hacks and virtual currency. The ML classifier also flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of embedded URIs and the document's deceptive content suggest a phishing or social engineering attack, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8715

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/free-robux-mobile-game-hack PDF link annotation
    • http://brusivojimi.com/images/free-robux-safe_GM431946152.pdfIn PDF document text
    • http://brusivojimi.com/images/coin-master-apk-hack-2021_GM406889139.pdfIn PDF document text
    • http://brusivojimi.com/images/minecraft-mobile-free_GM479516143.pdfIn PDF document text
    • http://brusivojimi.com/images/get-free-robux-without-human-verification_GM431946152.pdfIn PDF document text
    • http://brusivojimi.com/images/coin-master-free-spins-link-today-new_GM406889139.pdfIn PDF document text
    • http://brusivojimi.com/images/free-robux-websites-that-actually-work_GM431946152.pdfIn PDF document text
    • http://brusivojimi.com/images/coin-master-apk-mod_GM406889139.pdfIn PDF document text
    • http://brusivojimi.com/images/how-do-u-get-free-robux-2021_GM431946152.pdfIn PDF document text
    • http://brusivojimi.com/images/free-minecraft-hacks_GM479516143.pdfIn PDF document text
    • http://brusivojimi.com/images/coin-master-2021-free-spins-link_GM406889139.pdfIn PDF document text
    • http://brusivojimi.com/images/get-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://brusivojimi.com/images/free-spins-october-28-2021-coin-master_GM406889139.pdfIn PDF document text
    • http://brusivojimi.com/images/real-robux-codes_GM431946152.pdfIn PDF document text
    • http://brusivojimi.com/images/free-roblox-hack_GM431946152.pdfIn PDF document text
    • http://brusivojimi.com/images/50-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://brusivojimi.com/images/robux-without-verification_GM431946152.pdfIn PDF document text
    • http://brusivojimi.com/images/free-robux-kid-friendly_GM431946152.pdfIn PDF document text
    • http://brusivojimi.com/images/2021-free-coin-master-spins_GM406889139.pdfIn PDF document text
    • http://brusivojimi.com/images/roblox-svg-free_GM431946152.pdfIn PDF document text
    • http://brusivojimi.com/images/coin-master-free-spins-hack-iphone_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004835.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4835 25136 bytes
SHA-256: c70c9dab7e5da15d98a0e65b0ce186c1ff9391cf8cc8226c76c33cb5cd280afb
font_01_sfnt_off000081d7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x81D7 2940 bytes
SHA-256: eb230542719c96b42e3fd8bb01e35f13ebd5f02629049da3a58e7fd7607bf48a
font_02_sfnt_off00008be2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8BE2 5696 bytes
SHA-256: 450e3ee45915afe13702bf1d587eb8b9ad88a8d2113419ac9f2fd116a828e139
font_03_sfnt_off000098f4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x98F4 18404 bytes
SHA-256: 0c312729e80e6e0ca2ee9f4904992f86151ccd5d23fc73e43cbe09e8497f8a48