PDF static analysis report

Static analysis result for SHA-256 e9aa66bb1eeb71b8…

SUSPICIOUS

PDF

51.1 KB Created: 2021-05-11 06:43:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-05
MD5: 22b00f31ef778a40245ba270b607f23c SHA-1: db018701d2cdfa34effc878d1d2d6c5a3a08acd1 SHA-256: e9aa66bb1eeb71b8cd54c42a20631c3dc2d4446e24b4c384343f0efeb780b8be
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs and a primary external URI pointing to a download for a 'hack-coin-master-apk'. The ML classifier also flagged this PDF as malicious. The presence of these links suggests the document is designed to trick users into downloading and executing potentially harmful software, likely as part of a phishing or social engineering campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8594

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/hack-coin-master-apk-3.5.8-game-hack PDF link annotation
    • https://digilib.stimlog.ac.id/repository/free-robux-generator-no-human-verification-2021_GM431946152.pdfIn PDF document text
    • https://digilib.stimlog.ac.id/repository/robux-gift-card-free_GM431946152.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/free-roblox-injector_GM431946152.pdfIn PDF document text
    • https://digilib.stimlog.ac.id/repository/robux-generator-no-survey_GM431946152.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/free-robux-scams_GM431946152.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/coin-master-free-spins-generator_GM406889139.pdfIn PDF document text
    • https://digilib.stimlog.ac.id/repository/free-spin-coin-master-instagram_GM406889139.pdfIn PDF document text
    • https://digilib.stimlog.ac.id/repository/how-to-change-roblox-username-for-free_GM431946152.pdfIn PDF document text
    • https://digilib.stimlog.ac.id/repository/win-free-robux_GM431946152.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/free-robux-com_GM431946152.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/free-robux-no-human-verification-and-no-survey_GM431946152.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/get-free-robux-no-verification_GM431946152.pdfIn PDF document text
    • https://digilib.stimlog.ac.id/repository/coin-master-free-spin-trick_GM406889139.pdfIn PDF document text
    • https://digilib.stimlog.ac.id/repository/what-is-robux_GM431946152.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/hackear-juego-coin-master-espaol_GM406889139.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/coin-master-daily-free-spins-and-coins_GM406889139.pdfIn PDF document text
    • https://digilib.stimlog.ac.id/repository/free-minecraft-bedrock-server-hosting_GM479516143.pdfIn PDF document text
    • https://digilib.stimlog.ac.id/repository/free-robux-discord-servers_GM431946152.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/minecraft-net-free_GM479516143.pdfIn PDF document text
    • http://digilib.stimlog.ac.id/repository/free-coins-for-flip-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004ac8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4AC8 27124 bytes
SHA-256: 4366f81dec6e9fc347129376c44382f5b916ba76847d8b8efce646a4d44a0c68
font_01_sfnt_off000088d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x88D1 2812 bytes
SHA-256: fc92a80cefddbcc51cb4ecd7284aa73b746cbd66adcf1d96110f0323ec06b51f
font_02_sfnt_off0000926d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x926D 7332 bytes
SHA-256: d811e0aca85f3b94c42cd1240eec68b8eb378f3d8be5e408d3f6abd0f11f834d
font_03_sfnt_off0000a486.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA486 18476 bytes
SHA-256: ef1620938bbb1753b3b5074b9666c4de949f8bba958194232ab61b8971eea6d9