PDF static analysis report

Static analysis result for SHA-256 ccbc7a3c11309c0c…

SUSPICIOUS

PDF

33.4 KB Created: 2021-06-26 17:00:29 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: c325265ade4a3185e4180e407333aa7e SHA-1: a318555566711b31aa0c3e443ccb072259f84aa7 SHA-256: ccbc7a3c11309c0cb614311f183af7f4ae8f4954a6b56a8cf5b6e7e1f79f2a82
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier strongly indicated maliciousness, and the document body contains numerous links to external sites offering game exploits and virtual currency hacks. The presence of embedded URIs suggests an attempt to redirect the user to these malicious sites, likely for downloading further malware or engaging in phishing. No scripts were extracted, but the overall pattern points to a social engineering lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.co/app/431946152/free-admin-exploiting-roblox-game-hack PDF link annotation
    • http://library.yamasi.ac.id//repository/play-minecraft-for-free-on-pc_GM479516143.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/roblox-hack-scripts-pastebin_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/rewardex-robux_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/hacks-for-roblox-prison-life_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/how-to-hack-roblox-deathrun-2021_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/best-minecraft-hacks_GM479516143.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/coin-mast-hacks_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/when-will-roblox-bloxburg-be-free_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/how-to-make-robux-on-roblox_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/minecraft-server-hacks_GM479516143.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/free-roblox-card_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/pubg-uc-official-price_GM1330123889.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/robux-generator-2021_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/free-tiktok-followers-500_GM835599320.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/roblox-how-to-hack-to-get-free-robux-no-scam_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/haktuts-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/free-robux-websites-no-human-verification_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id/repository/bux-free-robux_GM431946152.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/best-site-for-free-coin-master-free-spin-link_GM406889139.pdfIn PDF document text
    • http://library.yamasi.ac.id//repository/uprobuxcom-free-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d0d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D0D 21468 bytes
SHA-256: ed1f2fc64437d81cb8f0bb1a1eeda61606ac38e08210e91541bf398c94d4bb50
font_01_sfnt_off00005bf5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5BF5 19484 bytes
SHA-256: 2f6dc0b3d44edfa86d1866a1299ace96b98e86cb35d3ebb052a77fdd2d2dd9ee