Malicious PDF — malware analysis report

Static analysis result for SHA-256 599fff58de087c03…

MALICIOUS

PDF

35.7 KB Created: 2021-07-05 13:56:43 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-13
MD5: f47400a9c37e9ff4648baff6d9f881e2 SHA-1: c8df1c082de35cc38b92397b0a8fc1ba11a05f3a SHA-256: 599fff58de087c0378afa485515fdff3321111e94f0ef7908d1b199fcf9c16da
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains numerous embedded URLs and a primary URL pointing to a game hack application, suggesting a lure for users seeking cheats. The presence of a 'password-protected archive' heuristic indicates a common tactic to evade security scanning by encrypting the actual payload. While no scripts were explicitly extracted, the ML classifier and embedded URLs strongly suggest malicious intent, likely involving the download of a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/mcpe-master-hack-coin-apk-game-hack PDF link annotation
    • http://library.gkigadingserpong.org/repository/friendly-face-free-roblox_GM431946152.pdfIn PDF document text
    • http://www.library.gkigadingserpong.org/repository/free-play-roblox-login-online_GM431946152.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/free-pe_GM479516143.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/how-to-code-roblox-hacks_GM431946152.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/free-minecraft-client_GM479516143.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/krnl-download_GM431946152.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/free-private-server-roblox_GM431946152.pdfIn PDF document text
    • http://www.library.gkigadingserpong.org/repository/how-to-use-a-script-hack-roblox-game_GM431946152.pdfIn PDF document text
    • http://www.library.gkigadingserpong.org/repository/minecraft-windows-10-hacks_GM479516143.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/roblox-verification_GM431946152.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/coin-master-free-spins-link-2021-app_GM406889139.pdfIn PDF document text
    • http://www.library.gkigadingserpong.org/repository/coin-master-34-4-hack_GM406889139.pdfIn PDF document text
    • http://www.library.gkigadingserpong.org/repository/free-robux-sites-that-work_GM431946152.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/free-tiktok-accounts-and-passwords_GM835599320.pdfIn PDF document text
    • http://www.library.gkigadingserpong.org/repository/coin-master-hack-spins-free_GM406889139.pdfIn PDF document text
    • http://www.library.gkigadingserpong.org/repository/coin-master-free-spins-iphone_GM406889139.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/games-that-give-you-free-robux-2021_GM431946152.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/hacks-da-hood-roblox_GM431946152.pdfIn PDF document text
    • http://www.library.gkigadingserpong.org/repository/get-free-spins-for-coin-master_GM406889139.pdfIn PDF document text
    • http://library.gkigadingserpong.org/repository/free-robux-generator-2021-no-human-verification-or-survey_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000347e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x347E 23296 bytes
SHA-256: be52dfde831030b86a3253ffcf9e5231a5a18f2019b86321ed5dfe345fab7a03
font_01_sfnt_off00006932.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6932 18180 bytes
SHA-256: 87072597483cb08a2f983c489319c3f89934693df86524fd72547e99bba744fc

Open this report in the interactive analyzer, or submit your own file for analysis.