Malicious PDF — malware analysis report

Static analysis result for SHA-256 91f9af7ec95c65ae…

MALICIOUS

PDF

37.3 KB Created: 2021-07-07 05:15:38 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2026-06-04
MD5: bccdc61a572d8e11d7deeff87f032768 SHA-1: bfafded718ea2b3eb4fd7fb1e162277f3185cd0a SHA-256: 91f9af7ec95c65ae3d3b532ab86a6a2d78cba7a32f3f8ba9e8cb84c8e7ff7aa0
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a critical heuristic firing for a game hack redirect lure, pointing to a URL known to host malicious redirector infrastructure. The document body and embedded URLs reinforce this by advertising free spins and hacks for popular games like Coin Master and Roblox. This indicates a social engineering attack designed to lead users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/406889139/coin-master-free-spins-and-coins-today-gift-reward-game-hack In PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-minecraft-printables_GM479516143.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-hack-roblox-yammy_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-get-free-robux-generator_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-hack-roblox-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-get-free-robux-codes_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-minecraft-account-reddit_GM479516143.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/script-executor-roblox-free_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/roblox-free-hair-promo-codes_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/where-can-i-get-free-spins-for-coin-master_GM406889139.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/best-free-robux-sites_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/how-to-get-free-robux-hack_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-hack-without-human-verification_GM406889139.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/hack-someone-roblox-for-free-robux_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-spin-hack_GM406889139.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/free-roblox-accounts-with-robux-and-obc_GM431946152.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-hack-program_GM406889139.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-free-spins-link-today-instagram_GM406889139.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/coin-master-hack-tool-v1-9-download-free-pc_GM406889139.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/freespins-coin-master_GM406889139.pdfIn PDF document text
    • https://bpkad.denpasarkota.go.id/new/public/ckfinder/userfiles/files/instant-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000039f8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x39F8 23100 bytes
SHA-256: 21b70a960629dc879c89b0e66d508352b6d0ca0ae64fda572694de55ccc2b993
font_01_sfnt_off00006dee.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6DEE 18692 bytes
SHA-256: d31088ae19f241ea86c3227f133fc8e6698cecaa627da06b5b2cde690df300ac

Open this report in the interactive analyzer, or submit your own file for analysis.