PDF static analysis report

Static analysis result for SHA-256 dc5781c49a7f1fb4…

SUSPICIOUS

PDF

39.1 KB Created: 2021-05-14 11:32:08 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: fa8efe7f4e77253da293566c4df45a5b SHA-1: ac41648cb0d6b9296f01ad242679b4bcca334e4d SHA-256: dc5781c49a7f1fb4c57ae93d4892892b265dab2871cc19be9213ea89a0aa1b2b
52 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document displays a fake CAPTCHA or human verification prompt, a common tactic to trick users into interacting with malicious content. It also contains an embedded URI pointing to a suspicious URL, likely intended to deliver a payload or lead to a scam. No scripts were extracted from this sample, but the overall pattern suggests a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0128

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-free-coins-and-spins-link-game-hack PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000032a4.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32A4 24152 bytes
SHA-256: 90b3fd0ea8ad0d66266d62e566c9e30846281dfba8e39a164954db3e33c5bc01
font_01_sfnt_off000069bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x69BB 4140 bytes
SHA-256: fadd6adc619b5dae06481310fe8c64f9c468bd2b49dcab5d1125d2c06f73829c
font_02_sfnt_off0000779c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x779C 18228 bytes
SHA-256: b9853edf503a53d442d3b577c09c09d59d7c57f52c57bf669c9991918f7be207