Malicious PDF — malware analysis report

Static analysis result for SHA-256 6af863ceb64126d6…

MALICIOUS

PDF

44.5 KB Created: 2021-05-16 07:02:28 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 46c41c7754b8c383dee8bc7ad6fe0c03 SHA-1: 64664f00c7873a921de51bcb2a1536ca0ea10a60 SHA-256: 6af863ceb64126d6361ce098f5ce1d1839e0ea011d02c358d21e37b6848eb9df
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document exhibits characteristics of a malicious PDF, including embedded URLs and a high ML classifier score. The content, which appears to be a lure for game-related cheats or tools, combined with the presence of external links, suggests an attempt to direct users to malicious or unwanted content. No scripts were extracted, but the embedded URLs are the primary indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9632

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-make-a-minecraft-client-game-hack
    • http://www.abilityireland.com/uploaded_files/userfiles/files/latest-coin-master-free-spins-link_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/toolbox-premium-apk_GM479516143.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/coin-master-daily-free-spins-and-coins-2021_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/my-robux_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/google-moon-active_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/coin-master-daily-free-spin-and-coin_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/free-coin-app_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/roblox-got-talent-piano-hack_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/minecraft-for-chromebook-free_GM479516143.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/best-free-spin-app-for-coin-master_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/40-free-spins-coin-master_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/coin-master-free-spins-and-coins_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/rbx-hut_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/coin-master-free-spins-link-whatsapp-group_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/minecraft-windows-10-key-free_GM479516143.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/roblox-free-bundles_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/coin-master-game-legitimate-hack-without-signing-up-or-shareing_GM406889139.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/how-to-hack-in-roblox-prison-life_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/get-free-robux-today_GM431946152.pdf
    • http://www.abilityireland.com/uploaded_files/userfiles/files/coin-master-free-coins_GM406889139.pdf
    • https://code.giftcards.com
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004a26.bin
365b69eab7857ec20835a8e8e89f8c8da194f3278ade4a1d89c86123a7db229c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A26 24472 bytes
font_01_sfnt_off00008253.bin
8c5d9bcb386d88c7f99323d8d482e46ea21dea038a5b842744dd5d39b26b2c44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8253 2856 bytes
font_02_sfnt_off00008c29.bin
56ece9bcb07882a6659c5f7e1ce038c62729a3d0bc69e44cc409015ae3a9828f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C29 18116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.