PDF static analysis report

Static analysis result for SHA-256 c5e892d2b75625ab…

SUSPICIOUS

PDF

37.4 KB Created: 2021-05-20 01:49:03 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 70f0c4dff97be4018c702f07f6cd74a6 SHA-1: 9468f89de8abe0f08cdc9f0d59d7dc4df8be8149 SHA-256: c5e892d2b75625ab619d8cd59bb37505591474c0f42c36c60202b295bb3bedbe
52 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a prominent lure for a "Coin Master Hack" and a "CLICK HERE TO ACCESS COIN MASTER GENERATOR" call to action. It links to a suspicious URL, `https://netcdn.xyz/app/406889139/does-coin-master-hack-work-game-hack`, which is likely intended to host a malicious payload or phishing page. While no scripts were explicitly extracted, the PDF structure and the nature of the lure suggest an attempt to trick the user into downloading or visiting a harmful resource.

Machine Learning

  • Nyx PDF Classifier clean score 0.0129

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/does-coin-master-hack-work-game-hack PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00002feb.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2FEB 24348 bytes
SHA-256: 9ce104ffed280ef52fe2378b08fc426ac84116017949257da1a62bdf569af2a7
font_01_sfnt_off00006682.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6682 18084 bytes
SHA-256: 4cea799240287eb948bae7a48ce350820d898f3c74ec39daa0da77041a3d74b3
font_02_sfnt_off00008806.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8806 3264 bytes
SHA-256: e32c06502c11b52acb5e814091c5fdbffd1e2a904ac7a9cfb8b5b180bd139088