PDF static analysis report

Static analysis result for SHA-256 f6192c0458b19cb9…

SUSPICIOUS

PDF

47.6 KB Created: 2021-06-03 06:24:00 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: f9150769c25dcebd9e6b5b72d5bf7299 SHA-1: f3a28109a636e384761518331a53fb47b9c1198d SHA-256: f6192c0458b19cb995bae1c14251ab82e248ffc2f0dc808940222fc7e13b395f
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs that lead to external resources, likely intended to trick the user into downloading malicious files. The ML classifier strongly flagged this PDF as malicious, and the presence of a 'download button' heuristic further supports a malicious intent. Although no scripts were explicitly extracted, the document's structure and embedded URLs suggest it acts as a lure for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9832

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/431946152/games-on-roblox-that-will-give-u-free-hat-youtubecom-game-hack PDF link annotation
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/coin-master-download-hack_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-coins-coin-master-link-today_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-robux-games-that-actually-work_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-minecraft-printables-food-labels_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/coin-master-hack-link-2021_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/how-to-download-minecraft-for-free-on-windows-10_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/coin-master-hack-mod-apk-free-download_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/noob-vs-pro-vs-hacker-vs-god-minecraft_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-minecraft-for-kids_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-robux-no-verification-or-survey-2021_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/coin-master-cheats_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/minecraft-tools_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/i-want-free-robux_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/coin-master-hack-apk-35-8_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/coin-master-daily-free-spin-app_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/coin-master-free-spins-hacktman_GM406889139.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/mobihack-net-roblox-hack_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/roblox36com-free-robux_GM431946152.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/free-minecraft-bedrock-server-hosting_GM479516143.pdfIn PDF document text
    • http://www.nlcitychurch.org.hk/upload/userfiles/files/www-roblox-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000564e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x564E 26900 bytes
SHA-256: 13f1f6c6704f7a62537adef1fc714961af37a37273aec73f64dfd4feab90d308
font_01_sfnt_off000093fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x93FA 19624 bytes
SHA-256: 588a816a6aa417f3829a786c37edb640a56effa7a185ed99e0acf3dc0c540901