Malicious PDF — malware analysis report

Static analysis result for SHA-256 4466f47cb4873000…

MALICIOUS

PDF

38.7 KB Created: 2021-05-24 15:46:00 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: 9f1049a3f92229f22a0357d90fc78aa6 SHA-1: f14411b7cc0970c3ba4ac0aba97002ae0addf565 SHA-256: 4466f47cb4873000c3af3ad7e6cd20513471ebb6e82e5f84c63118b171a005b3
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document uses a lure related to 'Minecraft Hacked Client' and 'CLICK HERE TO ACCESS MINECRAFT GENERATOR' to entice users to click on malicious URLs. These URLs redirect to other PDF files hosted on suspicious domains, indicating a phishing or scam campaign. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 5

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-hacked-client-game-hack PDF link annotation
    • http://stsbih.com.ba/images/how-to-hack-roblox-accounts-on-phone-2021_GM431946152.pdfIn PDF document text
    • http://stsbih.com.ba/images/coin-master-free-spins-app_GM406889139.pdfIn PDF document text
    • http://stsbih.com.ba/images/free-coin-link-for-coin-master_GM406889139.pdfIn PDF document text
    • http://stsbih.com.ba/images/coin-master-new-link-free-spin_GM406889139.pdfIn PDF document text
    • http://stsbih.com.ba/images/give-free-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003461.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3461 24848 bytes
SHA-256: 80bec34873857b414c6ba74f7ae44aa0bb91cdc4605b282befafb969e3c07f81
font_01_sfnt_off00006c9f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6C9F 3128 bytes
SHA-256: 801f6fa60decd1add2f223f91580103c35e150c924465f86a7a572b3e00674f9
font_02_sfnt_off000076de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x76DE 17988 bytes
SHA-256: 60084e38a3b13cc374d8b54708ec2a3852040562095209170bda5240b53bf335