Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e2885610a804a0b…

MALICIOUS

PDF

36.5 KB Created: 2021-05-20 19:52:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: f2c91587c110f77ac81fd89375bb6eb1 SHA-1: 3806793e6b4efb1c945ffed6345306671b8810ce SHA-256: 0e2885610a804a0b4196e1e500be4fccb83b6f97c152e1db227226a3f3cea86d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains heuristics indicating it is malicious, including an external URI pointing to a suspicious domain and a machine learning classifier flagging it as malicious. The document body and embedded links suggest a lure to download a file, likely a second-stage payload, related to game cheats or hacks. The presence of a QR code lure and a visual download button further supports this attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9648

Heuristics 4

  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/is-there-a-free-version-of-minecraft-game-hack
    • https://elearning.mtsn2kukar.sch.id/__statics/gudangsoal/files/minecraft-hack-mod_GM479516143.pdf
    • https://elearning.mtsn2kukar.sch.id/__statics/gudangsoal/files/free-roblox-accounts_GM431946152.pdf
    • https://elearning.mtsn2kukar.sch.id/__statics/gudangsoal/files/hack-coin-master-32-mod-apk_GM406889139.pdf
    • https://elearning.mtsn2kukar.sch.id/__statics/gudangsoal/files/codes-to-get-free-robux_GM431946152.pdf
    • https://elearning.mtsn2kukar.sch.id/__statics/gudangsoal/files/free-robux-no-human-verification-no-survey_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003506.bin
c9ee65afd672c6583ed0449eff5f3dcc1e4e3674d9f28bd17c55425126331580		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3506 25068 bytes
font_01_sfnt_off00006e1c.bin
aceee9a041b582042c2100ba6115aff943c09cf12b5359888ef7326718d96eb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E1C 18012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.