Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bbfccbb5d8c2e1d…

MALICIOUS

PDF

46.1 KB Created: 2021-05-16 01:32:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: efa6e2ad8df8f9844075e94516889331 SHA-1: 5ec2c754a707e930eacddd0e3c2b0e6c7a0dd33c SHA-256: 0bbfccbb5d8c2e1d18af11eae2f4e78c2e6ac5639fc7cf9409e8dbb08bfcb285
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document body and extracted URLs indicate a lure for a "Coin Master Hack 2021", suggesting a scam or malware distribution. The presence of embedded URLs and the ML classifier's high confidence score support this assessment. Although no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a malicious document designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9432

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-hack-2021-android-game-hack
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/free-robux-for-free_GM431946152.pdf
    • http://elibraryfk.unjani.ac.id/elibrary/repository/new-free-money-links-coin-master_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/elibrary/repository/coin-master-free-spin-now_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/elibrary/repository/spins-for-coin-master_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/hack-coin-master-ios-download_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/how-to-hack-coin-master-game_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/how-to-get-stuff-that-cost-coins-free-mcpe-master_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/elibrary/repository/minecraft-hacks-pc_GM479516143.pdf
    • http://elibraryfk.unjani.ac.id/elibrary/repository/coin-master-free-daily-spins-today_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/roblox-gift-card-online-free_GM431946152.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/free-robux-generator-2021-no-survey_GM431946152.pdf
    • http://elibraryfk.unjani.ac.id/elibrary/repository/free-coin-master-hacks-no-verification-or-survey_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/elibrary/repository/free-coin-master-gold-cards_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/elibrary/repository/earn-robux-online_GM431946152.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/best-way-to-hack-coin-master_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/coin-master-free-coins-link-2021_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/roblox-free-roblox_GM431946152.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/free-op-minecraft-servers_GM479516143.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/google-coin-master-free-spins_GM406889139.pdf
    • http://elibraryfk.unjani.ac.id/fkrepository/repository/coin-master-free-spins-2021_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004b12.bin
8f16918cec8eb3bfcfd6a19d478a0c564ea3eefe8b329ef1abab9283117e9c26		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B12 24932 bytes
font_01_sfnt_off000083d4.bin
df85173feea72dc2f2189124c35b140faf44ef7a36f3496b492965e474480a3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83D4 4084 bytes
font_02_sfnt_off00009193.bin
27f4b60df4c5b9b58df513bbeae6e0a7300ac945a9a466f89e8a511806a668c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9193 18292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.