PDF static analysis report

Static analysis result for SHA-256 d3315fda9fb2a8b0…

SUSPICIOUS

PDF

35.0 KB Created: 2021-07-09 08:02:13 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 771536a7b3695c3469d2cb2fe99280ad SHA-1: feaa292eb3bb70411ffc604272f0ec3e113d47da SHA-256: d3315fda9fb2a8b001b5ce55a82d5c30d22e8764b03784395022fd30d67e6afe
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains embedded URLs and text promoting a "Coin Master Hack" and related game cheats, strongly suggesting a phishing or scam lure. The ML classifier also flagged this PDF as malicious with high confidence. The presence of embedded URLs indicates an attempt to redirect the user to external sites, likely for downloading further malicious content or harvesting credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/coin-master-hack-no-verification-ios-game-hack PDF link annotation
    • https://sensorcamera-tw.com/upload/files/coin-master-free-spins-moonactive_GM406889139.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/how-to-get-free-spins-on-coin-master-2021_GM406889139.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/how-to-get-free-robux-not-a-scam_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/free-roblox-account-giveaway_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/how-to-get-java-minecraft-free_GM479516143.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/roblox-free-hat-obby_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/free-robux-codes-2021_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/chad-the-beast-and-audrey-the-hacker-in-roblox_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/how-to-get-roblox-premium-for-free-2021_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/coin-master-daily-free-spins-haktuts_GM406889139.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/minecraft-pocket-edition-apk-free-download_GM479516143.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/minecraft-free-download-linux_GM479516143.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/earn-robux-com_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/roblox-zone-hack_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/games-on-roblox-that-give-you-free-robux_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/roblox-hack-download-pc_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/roblox-guest-0-hack_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/free-roblox-adopt-me-accounts_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/bloxawards-com-earn-free-robux_GM431946152.pdfIn PDF document text
    • https://sensorcamera-tw.com/upload/files/hack-vampire-hunters-2-roblox-fly_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000320b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x320B 23424 bytes
SHA-256: 4ee1cebbcc53b664e665fd106340e97e4e8a3b4ed5570f41ee0c04104735c7eb
font_01_sfnt_off00006686.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6686 18140 bytes
SHA-256: 17da5d703c5758f46f1af0ed1315e04c8ea1a1cae7dab9e1c5c22a4f69c629d7