PDF static analysis report

Static analysis result for SHA-256 ec91974a40b0f11d…

SUSPICIOUS

PDF

49.1 KB Created: 2021-06-11 05:04:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 2db401a169134b8fe1856d2b2a325852 SHA-1: 761d1adfb89dd5cbb21ac80bb648565286a22084 SHA-256: ec91974a40b0f11d06545500fc4ce0f33dd3e8cb1680eda5a74fdb20f68c39c0
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded URLs and a visual download button, suggesting an attempt to trick the user into navigating to external sites for potentially unwanted content. The ML classifier also flagged this PDF as malicious with high confidence. The presence of links related to game hacks and free items indicates a lure-based social engineering tactic.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9796

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/fe-hacks-roblox-free-game-hack PDF link annotation
    • http://lib.fisipumt.ac.id/repository/robux-sites_GM431946152.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/roblox-hacks-2021_GM431946152.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/coin-master-free-coins-generator_GM406889139.pdfIn PDF document text
    • http://lib.fisipumt.ac.id//repository/robloxmatchcom-free-robux_GM431946152.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/guuud-info-roblox-free-robux_GM431946152.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/ww-roblox-come_GM431946152.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/free-roblox-passwords_GM431946152.pdfIn PDF document text
    • http://lib.fisipumt.ac.id//repository/coin-master-game-hack-version-download_GM406889139.pdfIn PDF document text
    • http://lib.fisipumt.ac.id//repository/pokemon-go-free-event_GM1094591345.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/coin-master-daily-free-spins-link-2021_GM406889139.pdfIn PDF document text
    • http://lib.fisipumt.ac.id//repository/coin-master-hack-without-verification-site-zyngaplayerforumscom_GM406889139.pdfIn PDF document text
    • http://lib.fisipumt.ac.id//repository/send-me-500-2021-spins_GM406889139.pdfIn PDF document text
    • http://lib.fisipumt.ac.id//repository/coin-master-free-daily-spins-today_GM406889139.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/minecraft-free-download-android_GM479516143.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/haktuts-coin-master-free-daily-spins_GM406889139.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/roblox-free-pets_GM431946152.pdfIn PDF document text
    • http://lib.fisipumt.ac.id//repository/roblox-promo-codes-for-free-robux_GM431946152.pdfIn PDF document text
    • http://lib.fisipumt.ac.id//repository/real-robux_GM431946152.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/coin-master-free-stuff_GM406889139.pdfIn PDF document text
    • http://lib.fisipumt.ac.id/repository/minecraft-pe-hack-client-ios_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000051b5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x51B5 27280 bytes
SHA-256: 2fa13807530ae3e6a729787f9e57775817155518e5467a9b581096790c5a23aa
font_01_sfnt_off0000903b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x903B 3948 bytes
SHA-256: 85933b017fd4f47a49c29ca16c8d64906230da484c55266cf0b747b2578ec451
font_02_sfnt_off00009d31.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9D31 18344 bytes
SHA-256: 9016824e3fd637827b76972d2b11c28ecf6c78f797dc09e11a6861b1e98c71bf