Malicious PDF — malware analysis report

Static analysis result for SHA-256 134e1d6a4c7e8a63…

MALICIOUS

PDF

51.6 KB Created: 2021-06-08 17:42:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 88cbbd7afaab55108e8f8bb6c219c191 SHA-1: 60643f95ae0982d6fa8d89f8afeaf0dbaf2b557e SHA-256: 134e1d6a4c7e8a639d7c1918ea057009476b9c1eefcdc68dceaa29bae4ef4431
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a document body that promotes free game-related items, indicative of a phishing or scam lure. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs suggests an attempt to redirect the user to potentially harmful websites. While no scripts were directly extracted, the overall pattern suggests a malicious document designed to trick users into visiting scam sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9464

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.tw/app/431946152/free-roblox-accounts-with-admin-permissions-game-hack
    • http://www.med-aid.vn/ckfinder/userfiles/files/daily-free-spins-coin-master-2021_GM406889139.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/how-to-hack-roblox-accounts-on-phone-2021_GM431946152.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/tiktok-followers-for-free_GM835599320.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/how-to-get-free-robux-in-2021_GM431946152.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/minecraft-pe-free_GM479516143.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/is-minecraft-free-on-pc_GM479516143.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/free-robux-generator-no-survey-no-download-no-human-verification_GM431946152.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/free-admin-commands-in-roblox_GM431946152.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/free-robux-com-no-verification_GM431946152.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/roblox-free-robux-hack_GM431946152.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/coin-master-free-spins-link-blogspot_GM406889139.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/free-outfits-roblox_GM431946152.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/blogspot-free-spins-coin-master_GM406889139.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/free-links-for-coin-master_GM406889139.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/how-to-get-free-robux-on-ipad-or-phone_GM431946152.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/robux-free-co_GM431946152.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/how-to-get-minecraft-pe-for-free_GM479516143.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/play-minecraft-online-free_GM479516143.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/coin-master-free-spin-link-today-16-11-2021_GM406889139.pdf
    • http://www.med-aid.vn/ckfinder/userfiles/files/free-minecraft-accounts-reddit_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00004edd.bin
dd2766cd50032a730363aa0a601125b07b2d4f0f3317358c1a522b6a61e564b9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4EDD 32860 bytes
font_01_sfnt_off00009a9b.bin
106de1d187d148d03f5c34a802444a7e62d93662ddf359d17cd55770c6c16081		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A9B 2880 bytes
font_02_sfnt_off0000a48c.bin
88ef3782df90d503b286e09ce24cdd4b78eae1a86a68d87ffa8fdc11145d0e00		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA48C 19264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.