PDF static analysis report

Static analysis result for SHA-256 c16055cc4d7b6119…

SUSPICIOUS

PDF

53.2 KB Created: 2021-05-14 03:04:19 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 350fc5b8115885a637bc53f68f13c955 SHA-1: 73ab0421b7a6e0e1914f955ab45aacb53495d9c3 SHA-256: c16055cc4d7b6119079b59af2ff4612069a49980d09986e2e6ec467291b0cdbd
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs that lead to sites offering game hacks and cheats, such as "free Robux" and "Coin Master hacks". The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs further supports a malicious intent to redirect users to potentially harmful content. The document body, though partially corrupted, contains references to these lures and the primary malicious URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9112

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-do-you-get-roebucks-game-hack PDF link annotation
    • https://ogm-goettingen.de/images/free-robux-discord_GM431946152.pdfIn PDF document text
    • https://ogm-goettingen.de/images/free-coin-master-hack-no-verification_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/free-robux-without-downloading-anything_GM431946152.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-time-hack-2021_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/roblox-com-hack_GM431946152.pdfIn PDF document text
    • https://ogm-goettingen.de/images/wurst-client-download_GM479516143.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-apk-mod_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-free-coins_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-hack-spin-link_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/minecraft-free-download-android-apk_GM479516143.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-free-spins-apk_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-free-stuff_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-hack-game-download-mod-apk_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-free-coins-link-2021_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/watch-videos-for-robux_GM431946152.pdfIn PDF document text
    • https://ogm-goettingen.de/images/mcpe-master-hack-unlimited-coins_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-free-spins-and-coins-2021_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/coin-master-free-spins-hack-link_GM406889139.pdfIn PDF document text
    • https://ogm-goettingen.de/images/www-bandicam-com-free-robux_GM431946152.pdfIn PDF document text
    • https://ogm-goettingen.de/images/is-windows-10-minecraft-free_GM479516143.pdfIn PDF document text
    • https://Buy.HoaxMC.comIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004b2b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B2B 25904 bytes
SHA-256: 9d60fe752e15d8bf8ba07245fc04b2d0cc91531b10bdce76783273de1982353f
font_01_sfnt_off000085d8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x85D8 12800 bytes
SHA-256: db399d969d9309c9c38cb6e3c43aa83c06d227a5470715de93176d1df1e6747d
font_02_sfnt_off0000adb5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xADB5 18408 bytes
SHA-256: ff346f93049ac2d3fb32d8a2c4dbad06720bfee6e4c1cdd193d0bff0cdbf25c6