Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d27f13397b25fac…

MALICIOUS

PDF

36.6 KB Created: 2021-05-10 20:11:57 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2026-06-04
MD5: fcec2e84b98378bf5204ef4e260ed02e SHA-1: 55d02074635bdac77453d0730b46b606ccb25d07 SHA-256: 6d27f13397b25faceb18c8f63cde0abaddebb825ea447d933958cc5f137040a0
70 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded text and a link that mimics a download for 'Minecraft Hacks'. The primary heuristic indicates that the embedded link, 'https://netcdn.xyz/app/479516143/minecraft-hacks-1.8-9-game-hack', redirects to known malicious infrastructure. The presence of a 'download button' heuristic further supports the lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier clean score 0.0292

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-hacks-1.8-9-game-hack In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000031e7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x31E7 26320 bytes
SHA-256: cdf98d8244aec48a6081f9fce548cfed6e6d8f718d1cfc6add05f4ab6b227724
font_01_sfnt_off00006dd5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6DD5 18284 bytes
SHA-256: cc1afa3f9e5bafff3439a24eb4e00371cb949553c5e41947bccc849ebc804b61

Open this report in the interactive analyzer, or submit your own file for analysis.