Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ba9428cfa5bd132…

MALICIOUS

PDF

47.1 KB Created: 2021-06-03 10:53:20 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: dc543eb1ab4c1bd0d70adbeae45993c0 SHA-1: 24b043396a2dc630b7e4a786791fd52826c0c7f6 SHA-256: 3ba9428cfa5bd13276e3f928bc641bb657adda1bbda76518e59a03dc8f3a4031
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded URLs and a document body that promotes free in-game currency and hacks, indicating a lure for potentially malicious content. The presence of external URIs and the ML classifier's high confidence score suggest malicious intent. Although no scripts were explicitly extracted, the document structure and embedded URLs point towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9769

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/406889139/coin-master-free-spin-and-coins-links-game-hack
    • http://perpustakaan.bundadelimalampung.ac.id/repository/coin-master-hack-apk_GM406889139.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/free-views-on-tiktok_GM835599320.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/how-to-get-free-unlimited-robux_GM431946152.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/minecraft-launcher-free_GM479516143.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/www-roblox-robux_GM431946152.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/minecraft-education-edition-free_GM479516143.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/minecraft-for-macbook-free_GM479516143.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/hack-robux_GM431946152.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/coin-master-100-free-spins-link_GM406889139.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/how-to-hack-roblox-accounts-on-phone_GM431946152.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/how-to-get-free-spins-on-coin-master-2021_GM406889139.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/how-to-get-roblox-premium-for-free-2021_GM431946152.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/free-robux-generator_GM431946152.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/get-free-spins-coin-master_GM406889139.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/coin-master-hacks_GM406889139.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/coin-master-free-spin-and-coins-links_GM406889139.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/how-to-hack-someones-roblox-account_GM431946152.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/coin-master-pc-hack-tool_GM406889139.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/rare-free-links-to-coin-master_GM406889139.pdf
    • http://perpustakaan.bundadelimalampung.ac.id/repository/free-robux-generator-without-verification_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000534d.bin
8b54d00509087c26fb250c7f1a7d22cc33b55d503292e130f03333f6a392317f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x534D 24696 bytes
font_01_sfnt_off00008b98.bin
30dce2b9c1950da345d7fed8f00c38887adfa2f2ddecc31775af2315e819ac37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B98 2840 bytes
font_02_sfnt_off0000954b.bin
ab1c4cdc214a6baf81a15e2f62a40ea9cfbbbf407f0f3dd1c7564e467cf0dae2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x954B 18228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.