Malicious PDF — malware analysis report

Static analysis result for SHA-256 422c79f4091276c6…

MALICIOUS

PDF

40.2 KB Created: 2021-05-25 08:31:09 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29
MD5: f1b8aa000377e9b5a80bc985da7b2b90 SHA-1: e3bb0d14e52b3ba0517af507ac20baa55ca32873 SHA-256: 422c79f4091276c63020b0310461e496629312805fbe283e4f8b71a294ff5460
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a lure related to "Coin Master Free Spins" and "game hack" generators, directing users to a suspicious URL. The ML classifier also flagged this PDF as malicious. While no scripts were explicitly extracted, the presence of embedded URLs and the nature of the lure suggest an attempt to trick users into visiting a site that likely hosts further malicious content or phishing forms.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7877

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-free-spins-link-blogspot-game-hack PDF link annotation
    • http://www.smkn1kutaselatan.sch.id/new/public/ckfinder/userfiles/files/coin-master-free-coins-app_GM406889139.pdfIn PDF document text
    • http://www.smkn1kutaselatan.sch.id/new/public/ckfinder/userfiles/files/give-me-robux_GM431946152.pdfIn PDF document text
    • http://smkn1kutaselatan.sch.id/new/public/ckfinder/userfiles/files/apps-to-hack-coin-master_GM406889139.pdfIn PDF document text
    • http://www.smkn1kutaselatan.sch.id/new/public/ckfinder/userfiles/files/what-do-roblox-points-do_GM431946152.pdfIn PDF document text
    • http://smkn1kutaselatan.sch.id/new/public/ckfinder/userfiles/files/roblox-mobile-hack_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000035e3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35E3 26196 bytes
SHA-256: 5dc9f56157f59c2556ec770ec5459e847f5e03ee41770a3340b9e435bf9bb138
font_01_sfnt_off0000709b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x709B 2920 bytes
SHA-256: 601c50867a41b9362538ff18e5f9479a0f9badf698aaf1eb7e88469c11719db7
font_02_sfnt_off00007ab5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7AB5 18632 bytes
SHA-256: bdbf3986ec68ee3b496ae89412d1d0f392e3b826f1ca321ec58289079c9e4546