Malicious PDF — malware analysis report

Static analysis result for SHA-256 792cef31a65ce700…

MALICIOUS

PDF

33.2 KB Created: 2021-07-21 02:41:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: e02b2735ff5c5dc7d55152eaa0e2adc7 SHA-1: de613959a2f98fe673ea7c238e779e0fa4c616ef SHA-256: 792cef31a65ce700eaadab8e755bdb3ba41874c74447afd0e4ebda469937e6dd
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs pointing to sites offering game hacks and free play, strongly suggesting a lure for downloading malware or engaging in phishing. The presence of a download button heuristic and the ML classifier's high confidence further support this assessment. Although no scripts were explicitly extracted, the document's structure and embedded URLs indicate an attempt to trick users into downloading malicious files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/479516143/minecraft-free-play-no-download-game-hack
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/how-to-hack-roblox-accounts-on-phone_GM431946152.pdf
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/roblox-apocalypse-rising-hack_GM431946152.pdf
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/free-spins-coin-master-app_GM406889139.pdf
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/minecraft-life-hacks_GM479516143.pdf
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/free-spin-link-for-coin-master_GM406889139.pdf
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/free-robux-no-verification-2021-ios_GM431946152.pdf
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/free-tiktok-accounts-with-followers_GM835599320.pdf
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/free-robux-no-password_GM431946152.pdf
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/how-to-get-free-robux-2021_GM431946152.pdf
    • https://www.beginneracrylicartist.com/wp-content/uploads/fsqm-files/minecraft-free-download-windows_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c11.bin
94d372fe567e10b0ded6c0963aa785ce0b35e0661532af782d63d1c1068b309d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C11 22744 bytes
font_01_sfnt_off00005ec9.bin
fbb9b780a0bb14823a54994ffd1331078a17861a297534d48eb4e2856c7fc06d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EC9 18624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.