Malicious PDF — malware analysis report

Static analysis result for SHA-256 2838add1a24a06cc…

MALICIOUS

PDF

37.4 KB Created: 2021-05-25 10:35:52 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 90e1dec2cebd9ac93b14df4fc338e610 SHA-1: 91f5870d315c8b37c05c36ccd26384974189e79e SHA-256: 2838add1a24a06ccb76664f9fdea3f906f2eb0d10896079437e2ebbf570c0eeb
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link that redirects to a website offering a 'free generator / game hack' for Minecraft, which is a common lure for malicious downloads. The document body explicitly mentions 'Minecraft Bedrock Edition Download Pc Free' and 'CLICK HERE TO ACCESS MINECRAFT GENERATOR', reinforcing the phishing attempt. While no scripts were extracted, the embedded URI and the document's content strongly suggest a phishing attack aimed at tricking users into visiting a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier clean score 0.0076

Heuristics 5

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-bedrock-edition-download-pc-free-game-hack PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002d55.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D55 24872 bytes
SHA-256: fbff0b5b5d5e475f7659247de1833f7fab715d04b18dc548ec9692906ec7fe0a
font_01_sfnt_off00006551.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6551 2880 bytes
SHA-256: 10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132
font_02_sfnt_off00006f3c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6F3C 18828 bytes
SHA-256: 57b97413d46eb8dd02e8163e11e04ebb18f1b46f22b88b993c8d7eb158a8ca98

Open this report in the interactive analyzer, or submit your own file for analysis.