PDF static analysis report

Static analysis result for SHA-256 deeb394a921d669a…

SUSPICIOUS

PDF

41.5 KB Created: 2021-05-13 16:31:37 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 998cc3df0366038bfad02c6b4010e341 SHA-1: 30e2ad35d0ea86eb8fe960939cf8dc220cde43ea SHA-256: deeb394a921d669a2fe94236a9e82c62c9bc4db5eae447e8f19cd3ab34b1cbd5
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The ML classifier strongly indicates maliciousness, and the document body contains text related to hacking games and obtaining in-game currency. Embedded URLs point to external resources that likely host malicious payloads or phishing content. No scripts were extracted, but the presence of external links and the document's theme suggest a lure for users to download further malware or visit phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/como-hackear-coin-master-ios-game-hack PDF link annotation
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/google-moon-active_GM406889139.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/free-robux-no-verification-2021-android_GM431946152.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/roblox-phantom-forces-hack_GM431946152.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/robux-gift-card-free_GM431946152.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/microsoft-rewards-robux_GM431946152.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/free-robux-hack-no-human-verification_GM431946152.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/spin-free-coin-master_GM406889139.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/coin-master-free-in-app-purchases_GM406889139.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/coin-master-hack-version-2021-free-download_GM406889139.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/coin-master-app-free-download_GM406889139.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/how-to-get-minecraft-java-for-free_GM479516143.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/how-to-hack-coin-master-ios-jailbreak_GM406889139.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/coin-master-hack-without-downloading-apps_GM406889139.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/op-rewards-robux_GM431946152.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/roblox-points_GM431946152.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/free-things-on-roblox_GM431946152.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/free-spins-and-coins-com_GM406889139.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/minecraft-bedrock-free-server-hosting_GM479516143.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/microsoft-rewards-roblox_GM431946152.pdfIn PDF document text
    • https://www.gulfautotools.com/uploaded_files/userfiles/files/hack-minecraft_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004ae4.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4AE4 23780 bytes
SHA-256: 99e263b5e4d7e945432c42e6f8b0da6e1d3c4e1b75f3e89cc5f77b79e2a2f494
font_01_sfnt_off000080df.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x80DF 17976 bytes
SHA-256: c17a11528d6db3e3ae92482534db384e3139a2f0aff777cff95d74958b5837df