Malicious PDF — malware analysis report

Static analysis result for SHA-256 3301bf6eb1561a0a…

MALICIOUS

PDF

42.3 KB Created: 2021-05-17 15:50:56 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 2a9b6d21654d5ee5ff15e156d065b1d6 SHA-1: 2c76d691a986b4527e60cf5f78416e0ce46b9428 SHA-256: 3301bf6eb1561a0a0108633728b62cf634980bf5478b31f5b27920b7bf458ff0
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains multiple embedded URLs and a prominent call-to-action, strongly suggesting a phishing or scam attempt. The heuristic 'SE_SECRET_RECOVERY_LURE' indicates the document may attempt to trick users into revealing sensitive information like private keys or passwords under the guise of game rewards. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-link-spin-game-hack
    • https://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/how-to-get-free-coins-on-coin-master-hack_GM406889139.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/free-robux-no-human-verification-or-survey_GM431946152.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/oprewards-robux_GM431946152.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-2021_GM406889139.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/moonactive-free-spins-2021_GM406889139.pdf
    • https://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/coin-master-hack-game-download-ios_GM406889139.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-without-offers_GM431946152.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/daily-free-spins-on-coin-master_GM406889139.pdf
    • https://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/free-robux-hack_GM431946152.pdf
    • https://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/roblox-survey-for-robux_GM431946152.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/free-minecraft-hacks_GM479516143.pdf
    • https://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/minecraft-pe-hacks-2021_GM479516143.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/hack-avatar_GM431946152.pdf
    • https://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/free-robux-pastebin_GM431946152.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/mcpe-optifine_GM479516143.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/what-is-robux-in-roblox_GM431946152.pdf
    • https://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/minecraft-windows-10-hacked-client_GM479516143.pdf
    • https://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/fan-page-coin-master_GM406889139.pdf
    • https://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-codes_GM431946152.pdf
    • http://elearning.hidayatussalam.sch.id/__statics/gudangsoal/files/coin-master-daily-free-spins-and-coins-link_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004b35.bin
be5da45f2bb769e2765c4cca7ddfd1e0be09443cf6deb1cafa003e66b03cd4d9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B35 24916 bytes
font_01_sfnt_off000083e8.bin
7aa3b039b4dd2eaa3c78c28a8976d594c7bc5201e2dd003047650d51ef6c46d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83E8 17892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.