PDF static analysis report

Static analysis result for SHA-256 da07d393f09e8088…

SUSPICIOUS

PDF

43.5 KB Created: 2021-05-15 08:15:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 216bbcf1dfb6fb25488da74b566b8e45 SHA-1: 6cc01a46cc93fd3d4c6aa22534bfe9ed4d846deb SHA-256: da07d393f09e8088c4b7984e292d2a32c557b3649e6972f5c7b4521d35e28040
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains an embedded URL pointing to a site offering game hacks, strongly suggesting a lure for downloading potentially malicious content. The ML classifier also flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the lure indicate an attempt to trick users into executing further stages, likely through a malicious download.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-online-free-game-hack PDF link annotation
    • http://www.metinadistribuzione.com/images/coin-master-card-hack-apk_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/toolbox-for-minecraft_GM479516143.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/how-to-get-minecraft-java-edition-for-free_GM479516143.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/no-human-verification-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/how-to-get-free-robux-no-human-verification-2021_GM431946152.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/coin-master-hack-apk-2021-download_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/real-free-robux-codes_GM431946152.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/free-minecraft-addons_GM479516143.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/free-robux-no-verify-2021_GM431946152.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/free-robux-generator-no-survey-no-download-no-human-verification_GM431946152.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/free-spin-coin-master-hacktoman_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/coin-master-free-spins-link-2021_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/coin-master-game-hack-app-download_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/coin-master-lucky-patcher-hack_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/can-you-download-minecraft-for-free_GM479516143.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/free-robux-discord-servers_GM431946152.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/coin-master-hack-apk-2021-ios_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/coin-master-hack-tool-ios_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/coin-master-gold-cards-hack-2021_GM406889139.pdfIn PDF document text
    • http://www.metinadistribuzione.com/images/hack-coin-master-online-without-human-verification_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c63.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C63 25832 bytes
SHA-256: 002b0d708ee22923ed81dc5d561c1160be06a60662c91762abada891b738add3
font_01_sfnt_off00008886.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8886 18068 bytes
SHA-256: 065eb5bea139eaf43a54c15370d64aa119270a6f111c6de0f976a0e20a38860d