PDF static analysis report

Static analysis result for SHA-256 e2a9f2472293ab96…

SUSPICIOUS

PDF

33.8 KB Created: 2021-07-06 17:30:03 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 655750a380b9401ef9a5c67a8b710099 SHA-1: 5c299831da3dd8e3cc2396e2367741886f6699ce SHA-256: e2a9f2472293ab96d115587ba36e233216aea6ef35581da2c7e495bbf7bb3e3e
34 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs, with a primary focus on game-related hacks and cheats for popular games like Roblox and Coin Master. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs suggests an attempt to redirect the user to a potentially harmful site. While no scripts were explicitly extracted, the document's structure and content indicate a lure for users seeking exploits, likely leading to malware download or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 2

  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/how-to-run-faster-in-roblox-hack-murder-mystery-game-hack PDF link annotation
    • http://elib.upiyptk.ac.id/opac/repository/free-spins-coin-master-unlimited_GM406889139.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/minecraft-115-2-hacks_GM479516143.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac//repository/free-apk-mods-coin-master_GM406889139.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac//repository/roblox-hack-me-robux_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/minecraft-switch-free_GM479516143.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/coin-master-gold-cards-hack_GM406889139.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac//repository/how-do-you-get-roblox-money_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac//repository/free-robux-hack-no-human-verification_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac//repository/roblox-person_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/equixel-free-robux_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/coin-master-hack-no-survey-or-verification_GM406889139.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/how-to-hack-rich-old-roblox-accounts_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac//repository/how-to-duplicate-coin-master-spin-hack_GM406889139.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/how-to-get-free-spins-on-coin-master-without-verification_GM406889139.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/free-robux-obby_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac//repository/coin-master-hack-iosgods_GM406889139.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/free-antlers-roblox_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac//repository/free-promo-codes-for-robux_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/how-to-get-free-robux-without-paying_GM431946152.pdfIn PDF document text
    • http://elib.upiyptk.ac.id/opac/repository/free-vip-for-roblox-free-video-star_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f6b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2F6B 22648 bytes
SHA-256: 3d6b9dc6cdffb20851241e92ea65949437f75b7a374232d1ae323f566e0219c6
font_01_sfnt_off00006227.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6227 19592 bytes
SHA-256: fd0ac88262361dba33e46cca0fb4e463688186d4a5154c38e304513621c20aa5