Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e2b88848a4c23f1…

MALICIOUS

PDF

39.0 KB Created: 2021-05-22 07:36:44 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 95e681e73290c875eb884d5ccf134fb7 SHA-1: 6f4b29e85e0d49f831f6fc74d8e2478f2e9dc882 SHA-256: 2e2b88848a4c23f12fde29b7f38438877873fb25b83deddb4b62fc3a5750b9ae
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded links that redirect to a URL associated with game hacks and generators, a common lure for malicious content. The heuristic 'PDF_GAME_HACK_REDIRECT_LURE' strongly indicates this intent. While no scripts were extracted, the presence of these lures and the ML classifier's high confidence suggest the document is designed to trick users into visiting malicious sites, likely to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-mobile-free-game-hack PDF link annotation
    • http://aspiesretreat.org/images/free-robux-redeem-codes-2021_GM431946152.pdfIn PDF document text
    • http://aspiesretreat.org/images/coin-master-free-coins-link-facebook_GM406889139.pdfIn PDF document text
    • http://aspiesretreat.org/images/free-robux-games_GM431946152.pdfIn PDF document text
    • http://aspiesretreat.org/images/robux-free-promo-codes_GM431946152.pdfIn PDF document text
    • http://aspiesretreat.org/images/tiktok-minecraft-hacks_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000034ba.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34BA 25192 bytes
SHA-256: ff02b202fd1bdad1c4f0c5b2428c1993e2d330b0e64b85ca9345d666dec66762
font_01_sfnt_off00006d8d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6D8D 3056 bytes
SHA-256: dd24a0ab94df4552e459bd06fd01b0fd3f021c1d51d1d64407070e735974a028
font_02_sfnt_off000077ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x77FF 17944 bytes
SHA-256: ce10a2b2c496b69fcf76f31cd4916c063e1dd9befde4055646c3ea28f41e8e8e

Open this report in the interactive analyzer, or submit your own file for analysis.