Malicious PDF — malware analysis report

Static analysis result for SHA-256 43ead81f5c7e6839…

MALICIOUS

PDF

35.8 KB Created: 2021-05-25 07:33:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: e7db6aa180f6cf3bc0c57b1bb70ec1bc SHA-1: 6c6853ef7e0120c21493071cddbc407561f33e57 SHA-256: 43ead81f5c7e6839b338833cf85ff2712c3bedd394e4f9c04f3a963906b49f3a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a lure to install a browser extension or update, a common tactic for malware delivery. It also includes an external URI pointing to a URL that appears to be related to game hacks or cheats. While no scripts were directly extracted, the ML classifier and the presence of external URIs strongly suggest malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9508

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/how-to-get-free-followers-on-tiktok-game-hack
    • https://e-learning.manurulhuda-csp.sch.id/__statics/gudangsoal/files/coin-master-email-rewards-link_GM406889139.pdf
    • https://e-learning.manurulhuda-csp.sch.id/__statics/gudangsoal/files/how-to-block-someone-on-coin-master_GM406889139.pdf
    • https://e-learning.manurulhuda-csp.sch.id/__statics/gudangsoal/files/how-to-get-infinite-robux_GM431946152.pdf
    • https://e-learning.manurulhuda-csp.sch.id/__statics/gudangsoal/files/free-spins-coin-master-links_GM406889139.pdf
    • https://e-learning.manurulhuda-csp.sch.id/__statics/gudangsoal/files/minecraft-free-computer-game_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000032d6.bin
4751de1f655aeb3809cc7a1dbfb19f01037dbc5a016efcf3d9527ec97d03f971		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x32D6 25072 bytes
font_01_sfnt_off00006c7c.bin
c8a0034b4012066e27b368389264813a3515151838273d971ed31104f84b04bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C7C 17692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.