Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a92157fa5d6a24f…

MALICIOUS

PDF

33.6 KB Created: 2021-07-19 13:50:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: e8c8e4d852b115436e7a13ca0cf37d58 SHA-1: 2ca519d0749d86b481659c61f8a0f104c67e11fa SHA-256: 4a92157fa5d6a24f15bb252600b449ab830cc19e825b9d0a5c7998638d44a927
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains multiple embedded URLs, with a primary focus on luring users with promises of free Minecraft server hosting. The heuristic 'PDF_GAME_HACK_REDIRECT_LURE' and the document body text strongly suggest a phishing or scam attempt. While no scripts were directly extracted, the PDF structure and embedded links indicate it's designed to redirect users to malicious sites, likely for further exploitation or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9946

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/479516143/free-minecraft-bedrock-server-hosting-game-hack PDF link annotation
    • http://www.akvamaster.com.ua/images/how-to-hack-someone-on-roblox_GM431946152.pdfIn PDF document text
    • http://www.akvamaster.com.ua/images/minecraft-java-edition-free-download_GM479516143.pdfIn PDF document text
    • http://www.akvamaster.com.ua/images/free-robux-2021_GM431946152.pdfIn PDF document text
    • http://www.akvamaster.com.ua/images/try-minecraft-free_GM479516143.pdfIn PDF document text
    • http://www.akvamaster.com.ua/images/coin-master-free-coins_GM406889139.pdfIn PDF document text
    • http://www.akvamaster.com.ua/images/coin-master-free-spins_GM406889139.pdfIn PDF document text
    • http://www.akvamaster.com.ua/images/how-to-get-verified-on-tiktok-for-free-2021_GM835599320.pdfIn PDF document text
    • http://www.akvamaster.com.ua/images/give-me-free-robux_GM431946152.pdfIn PDF document text
    • http://www.akvamaster.com.ua/images/coin-master-free-spins-2021_GM406889139.pdfIn PDF document text
    • http://www.akvamaster.com.ua/images/minecraft-bedrock-server-hosting-free_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e3a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E3A 22488 bytes
SHA-256: d3c415a33f1463c1c612f3b8252c3265e9e44a36054a09a86fa51c6b8789b693
font_01_sfnt_off0000605d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x605D 18672 bytes
SHA-256: fcf161d812b4feaa3e2bf8e8c417d8656b3909a46e27a4c0a1d90eda073f6fc6