PDF static analysis report

Static analysis result for SHA-256 c6335e1d821cf7f4…

SUSPICIOUS

PDF

31.8 KB Created: 2021-07-19 16:05:27 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 762679aa81d95d855e20cf3d63fc2430 SHA-1: ed54ea0448e27a83425519424728c6304f92ceb9 SHA-256: c6335e1d821cf7f46f7e91cdae1f7fdcf8609f4c429a22be5b881bbb72674b20
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains multiple embedded URLs and a prominent call-to-action related to obtaining free game items or accounts for popular games like Minecraft and Roblox. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs suggests a phishing or credential harvesting attempt. No scripts were extracted, but the document's structure and content indicate a lure to a potentially malicious website.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9900

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/479516143/how-to-get-a-free-minecraft-account-game-hack PDF link annotation
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/free-minecraft-alts_GM479516143.pdfIn PDF document text
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/free-spin-link-for-coin-master-game_GM406889139.pdfIn PDF document text
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/minecraft-multiplayer-free_GM479516143.pdfIn PDF document text
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/free-minecraft-texture-packs_GM479516143.pdfIn PDF document text
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/free-coins-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/how-to-get-minecraft-for-free-on-phone_GM479516143.pdfIn PDF document text
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/how-to-get-minecraft-for-free-on-ipad_GM479516143.pdfIn PDF document text
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/how-to-hack-people-on-roblox_GM431946152.pdfIn PDF document text
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/huskybuckscom-free-robux_GM431946152.pdfIn PDF document text
    • http://www.biotrade.com.au/uploaded_files/userfiles/files/coin-master-free-spins-link-today-new-2021_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002b8b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2B8B 22000 bytes
SHA-256: 22653b8fc6e20c7ca63c0d46549a54b4c4f0dd08b5cebb8550bd90b78e74b29b
font_01_sfnt_off00005b38.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5B38 18016 bytes
SHA-256: 5a2a7e753a917a0c0776144ed208a5331958d262d8364954408ce80ee198d92a