PDF static analysis report

Static analysis result for SHA-256 e08f555a9513ade0…

SUSPICIOUS

PDF

43.3 KB Created: 2021-05-17 06:47:43 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 13681c6e6af4825ae55bf3f4db619db3 SHA-1: 6ffb69415afffe635cdd50f10b1bf8bbf5ebe4c1 SHA-256: e08f555a9513ade04c97ea1cdd6ed59fd674d292bd4cf81d04bf2de65f263ee8
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs that lead to websites offering game cheats and hacks, specifically for Coin Master and Roblox. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs and a 'download button' heuristic further supports a malicious intent. No scripts were extracted from this sample, but the overall pattern suggests a phishing or scam lure designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-links-that-don-t-expire-game-hack PDF link annotation
    • https://bancroftandsons.com/images/free-spins-coinmaster_GM406889139.pdfIn PDF document text
    • https://bancroftandsons.com/images/how-to-hack-a-roblox-account-easy_GM431946152.pdfIn PDF document text
    • https://bancroftandsons.com/images/free-spin-coin-master-2021-link_GM406889139.pdfIn PDF document text
    • https://bancroftandsons.com/images/roebucks-on-roblox_GM431946152.pdfIn PDF document text
    • https://bancroftandsons.com/images/www-free-robux-com_GM431946152.pdfIn PDF document text
    • https://bancroftandsons.com/images/how-to-get-free-robux-codes-2021_GM431946152.pdfIn PDF document text
    • https://bancroftandsons.com/images/minecraft-xbox-360-free-download-code_GM479516143.pdfIn PDF document text
    • https://bancroftandsons.com/images/free-roblox-hack-us_GM431946152.pdfIn PDF document text
    • https://bancroftandsons.com/images/free-robux-reddit_GM431946152.pdfIn PDF document text
    • https://bancroftandsons.com/images/master-coin-hack-game_GM406889139.pdfIn PDF document text
    • https://bancroftandsons.com/images/free-robux-thumbnail_GM431946152.pdfIn PDF document text
    • https://bancroftandsons.com/images/how-to-get-minecraft-for-free-on-xbox-360_GM479516143.pdfIn PDF document text
    • https://bancroftandsons.com/images/free-minecraft-videos_GM479516143.pdfIn PDF document text
    • https://bancroftandsons.com/images/minecraft-free-download-windows-10_GM479516143.pdfIn PDF document text
    • https://bancroftandsons.com/images/minecraft-bedrock-edition-pc-free_GM479516143.pdfIn PDF document text
    • https://bancroftandsons.com/images/coin-master-hack-without-human-verification-2021_GM406889139.pdfIn PDF document text
    • https://bancroftandsons.com/images/how-to-get-robux-for-free-2021_GM431946152.pdfIn PDF document text
    • https://bancroftandsons.com/images/minecraft-pe-free_GM479516143.pdfIn PDF document text
    • https://bancroftandsons.com/images/how-to-hack-roblox-to-get-robux_GM431946152.pdfIn PDF document text
    • https://bancroftandsons.com/images/roblox-executor-free_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004c68.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4C68 25336 bytes
SHA-256: d6ddf1b7e546890a6a4e9ff360316a1e78aa543d092bdd2fddcfc039a1266d6d
font_01_sfnt_off0000865f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x865F 18436 bytes
SHA-256: dce3e1f078114056c7a9f64f23754c2b9e2cd17dc36a219649f8cd9aa09ae054