PDF static analysis report

Static analysis result for SHA-256 f895b83951d1d1ac…

SUSPICIOUS

PDF

42.1 KB Created: 2021-05-16 01:41:58 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 4d84d35b674a045b741d70f5475e117c SHA-1: 17f937e4d3d18f2832dc85221db1bda8867562d8 SHA-256: f895b83951d1d1acb01792bf8e761d89d11ad363f0f5d6ab80e20b1a1b8d7253
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a lure for 'Coin Master Free Spins' and embeds external URIs pointing to suspicious domains. The ML classifier also flagged the PDF as malicious. While no scripts were directly extracted, the presence of embedded URLs and the document's theme suggest it's designed to redirect users to potentially harmful content, likely a phishing or scam page.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-free-spins-link-whatsapp-group-game-hack PDF link annotation
    • http://suaedy-library.net/repository/coinmaster-blogspot_GM406889139.pdfIn PDF document text
    • http://suaedy-library.net/repository/minecraft-cheats-pc-2021_GM479516143.pdfIn PDF document text
    • http://suaedy-library.net/repository/coin-master-free-spins-a2z-help_GM406889139.pdfIn PDF document text
    • http://suaedy-library.net/repository/mobihack-net-roblox-hack_GM431946152.pdfIn PDF document text
    • http://suaedy-library.net/repository/free-roblox-clothes-boy_GM431946152.pdfIn PDF document text
    • http://suaedy-library.net/repository/static-moonactive_GM406889139.pdfIn PDF document text
    • http://suaedy-library.net/repository/roblox-assassin_GM431946152.pdfIn PDF document text
    • http://suaedy-library.net/repository/my-robux_GM431946152.pdfIn PDF document text
    • http://suaedy-library.net/repository/free-coin-master-credit_GM406889139.pdfIn PDF document text
    • http://suaedy-library.net/repository/roblox-robux-generator_GM431946152.pdfIn PDF document text
    • http://suaedy-library.net/repository/roblox-free-item-codes_GM431946152.pdfIn PDF document text
    • http://suaedy-library.net/repository/coin-master-exchange-40-free-spins_GM406889139.pdfIn PDF document text
    • http://suaedy-library.net/repository/how-to-use-scripts-in-roblox-hack_GM431946152.pdfIn PDF document text
    • http://suaedy-library.net/repository/free-coin-master-coins_GM406889139.pdfIn PDF document text
    • http://suaedy-library.net/repository/free-robux-easy_GM431946152.pdfIn PDF document text
    • http://suaedy-library.net/repository/hack-coin-master-2021-pc_GM406889139.pdfIn PDF document text
    • http://suaedy-library.net/repository/how-to-get-free-coins-and-spins-on-coin-master_GM406889139.pdfIn PDF document text
    • http://suaedy-library.net/repository/roblox-robux-hack-generator_GM431946152.pdfIn PDF document text
    • http://suaedy-library.net/repository/today-free-spin-coin-master_GM406889139.pdfIn PDF document text
    • http://suaedy-library.net/repository/free-vpn-for-minecraft_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000049ce.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x49CE 24272 bytes
SHA-256: 6b532ad4012c200e4c5b17e8885f7943b4cb5028393ebf1c90e56a6623fcc9bc
font_01_sfnt_off00008157.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8157 18560 bytes
SHA-256: e17242fb732615db3af82b15b0eb94d62c2cda97be0a738ea92ad14a310048ef