Malicious PDF — malware analysis report

Static analysis result for SHA-256 447255806fc282bf…

MALICIOUS

PDF

45.9 KB Created: 2021-05-15 23:07:16 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: e81a6744bb7bb44daee48b921eb94b3c SHA-1: 705d4507debb94e50c9a3eac9766a095c139ca99 SHA-256: 447255806fc282bfe1637e76f57371c9f37b6565ad57fa8bf2e26d1d7ee6575c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded URLs, including one pointing to a suspicious domain related to game hacks, and exhibits characteristics of a phishing lure with a visual download button. The ML classifier also flagged this PDF as malicious with high confidence. The presence of these elements suggests an attempt to trick the user into downloading potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9432

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-inappropriate-games-game-hack
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/how-to-win-attack-madness-in-coin-master-hack_GM406889139.pdf
    • https://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/coin-master-spin-pattern_GM406889139.pdf
    • https://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/http-bit-ly-coin-master-hack_GM406889139.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/coin-master-free-spin-today_GM406889139.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/lastrick-com-coin-master-hack_GM406889139.pdf
    • https://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/free-coins-for-flip-master_GM406889139.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/como-generar-coin-master-free-spins_GM406889139.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/free-robux-codes-no-verification-2021_GM431946152.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/hacks-master-coin_GM406889139.pdf
    • https://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/free-robux-no-verification-at-all_GM431946152.pdf
    • https://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/coin-master-daily-gift-free-spins-and-coins-link_GM406889139.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/free-promo-codes-for-robux_GM431946152.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/claim-free-robux_GM431946152.pdf
    • https://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/rare-free-links-to-coin-master_GM406889139.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/coin-master-free-spins-cheat_GM406889139.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/minecraft-pocket-edition-free-apk_GM479516143.pdf
    • https://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/freespinandcoin-blogspot_GM406889139.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/coin-master-hack-no-verification-ios_GM406889139.pdf
    • https://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/get-free-robux-now_GM431946152.pdf
    • http://elearning.mtsn1banjarnegara.sch.id/__statics/gudangsoal/files/coin-master-map_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004b58.bin
0d1e47a3116717020c424d3f779dc084f8e790494549f144da5a803c889b3939		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B58 24692 bytes
font_01_sfnt_off00008472.bin
4b3e0f36ad1e0c7e3ea5c178fd2b4f097d1e01575fc6a4101a8b520db34dfe07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8472 3400 bytes
font_02_sfnt_off00008f9b.bin
0ec566ecd5d1a86c10a54aa75463edd1ab022be4c3718a292107c635b8cc8674		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F9B 18672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.