PDF static analysis report

Static analysis result for SHA-256 e904749ff3efef89…

SUSPICIOUS

PDF

31.6 KB Created: 2021-07-19 14:30:32 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 0aeef2a8982de1bf59e3893db8fc0b1c SHA-1: 69c2dab511ec867fbf62d0c7a7ac28de63315406 SHA-256: e904749ff3efef895eb4c2b17a45b904e44d9902500611febb9ffee9cf86ff48
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document body and extracted URLs indicate a lure for free in-game items, a common tactic for phishing or malware distribution. The ML classifier strongly flagged this PDF as malicious, and an external URI was found pointing to a suspicious download link. Although no scripts were directly extracted, the presence of embedded URLs and the lure suggest the document is designed to redirect users to malicious sites or initiate downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9900

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/479516143/free-minecraft-account-and-password-game-hack PDF link annotation
    • https://www.iadh.bi/images/free-tiktok-coins_GM835599320.pdfIn PDF document text
    • https://www.iadh.bi/images/free-mods-for-minecraft-pe_GM479516143.pdfIn PDF document text
    • https://www.iadh.bi/images/minecraft-free-ios_GM479516143.pdfIn PDF document text
    • https://www.iadh.bi/images/how-to-get-minecraft-for-free-on-android_GM479516143.pdfIn PDF document text
    • https://www.iadh.bi/images/how-to-hack-into-someones-roblox-account_GM431946152.pdfIn PDF document text
    • https://www.iadh.bi/images/how-to-get-free-spins-in-coin-master_GM406889139.pdfIn PDF document text
    • https://www.iadh.bi/images/coin-master-hack-without-verification-2021_GM406889139.pdfIn PDF document text
    • https://www.iadh.bi/images/blox-land-free-robux_GM431946152.pdfIn PDF document text
    • https://www.iadh.bi/images/coin-master-free-spins-2021_GM406889139.pdfIn PDF document text
    • https://www.iadh.bi/images/haktuts-coin-master-free-spin-link_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002a2c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A2C 21620 bytes
SHA-256: 6db96841a9b8af80377c95a0090d03e0a7d61ee316c7fc49e9abfe2efda584f4
font_01_sfnt_off00005913.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5913 18344 bytes
SHA-256: 071cc331fbe0dfc1a6c0e7c1f1383f87707aabc4deba919dc9b38235f2b9b975