PDF static analysis report

Static analysis result for SHA-256 f5dfd27edc28f092…

SUSPICIOUS

PDF

44.7 KB Created: 2021-05-11 18:32:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: d7e67fa73b72b3b926979e6ce44a8dbf SHA-1: 2534af560c8c7719117fc9fbef3ebbd923f200f0 SHA-256: f5dfd27edc28f09254b5529f87507d8a1cc781e70bfe787d5d253bcebd53662b
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs that lead to websites offering game hacks and free in-game currency, such as Roblox Studio hacks and Coin Master cheats. The ML classifier strongly flagged this PDF as malicious, indicating a high probability of it being used for phishing or distributing malware. The presence of these lures suggests an attempt to trick users into downloading malicious software or visiting compromised sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-studio-free-download-game-hack PDF link annotation
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/free-coins-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/blox-world-free-robux_GM431946152.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/coin-master-hack-2021_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/daily-coin-master-free_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/coin-master-claim-free-spins_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/free-minecraft-texture-packs_GM479516143.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/minecraft-free-games-no-download_GM479516143.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/hack-coin-master-free_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/minecraft-for-free-on-phone_GM479516143.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/how-to-get-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/free-coin-master-spins-2021-link_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/coin-master-free-foxy-food_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/how-many-levels-are-there-in-coin-master_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/wahoogaming-co-free-robux_GM431946152.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/coin-master-gift-hack_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/coin-master-free-spins--coins-2021_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/coin-master-promo-code-2021_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/coin-master-free-spins-today-daily-links_GM406889139.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/minecraft-bedrock-free-download-pc_GM479516143.pdfIn PDF document text
    • http://www.mucinvitinh.vn/public/images/image_uploads/files/free-robux-no-verify-2021_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004a70.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4A70 28896 bytes
SHA-256: 0c63262b93545bacc4ec9d114810a8693f37b2a3d23baf4bb10fd322f1f26653
font_01_sfnt_off00008a29.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8A29 19048 bytes
SHA-256: 285731f73243192995ef55c7bff5b12d0277a9b461a1d4b1bbd56785699d0c43