Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cddb52b2860d73b…

MALICIOUS

PDF

48.0 KB Created: 2021-05-10 13:15:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-07
MD5: 5076a5c80648f316b3c0883fdc02cb3f SHA-1: 505439a77a25315451d83fc58c24ba43df55e4fc SHA-256: 9cddb52b2860d73bcb12310a412be5b2f01e6b4d0aef74d3301ae71576b8d441
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and links to external URLs, including one identified as a game hack redirector. The ML classifier strongly flagged this PDF as malicious. The embedded JavaScript likely attempts to exploit vulnerabilities or redirect the user to a malicious site, aligning with the game hack lure to trick users into clicking malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9692

Heuristics 5

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/hacks-for-roblox-jailbreak-game-hack PDF link annotation
    • https://cheryco.ir/assets/public/js/uploading/files/coin-master-links-free-spins_GM406889139.pdfIn PDF document text
    • https://cheryco.ir/assets/public/js/uploading/files/roblox-free-rubox_GM431946152.pdfIn PDF document text
    • https://cheryco.ir/assets/public/js/uploading/files/coin-master-free-spins-2021-generator_GM406889139.pdfIn PDF document text
    • https://cheryco.ir/assets/public/js/uploading/files/hack-coin-master-for-iphone_GM406889139.pdfIn PDF document text
    • https://cheryco.ir/assets/public/js/uploading/files/how-to-hack-coin-master-game-2021_GM406889139.pdfIn PDF document text
    • https://cheryco.ir/assets/public/js/uploading/files/how-to-hack-someones-roblox-account_GM431946152.pdfIn PDF document text
    • https://cheryco.ir/assets/public/js/uploading/files/roblox-hacking-website_GM431946152.pdfIn PDF document text
    • https://cheryco.ir/assets/public/js/uploading/files/how-to-hack-and-get-free-robux_GM431946152.pdfIn PDF document text
    • http://wolfzscriptsIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00003e17.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E17 36956 bytes
SHA-256: 5e4cc43a2b6d6ba9a2f5ef5f5dabf2f2e7e6d4209d23cf0400ef8aa4fc95af3e
font_01_sfnt_off00008f68.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8F68 2832 bytes
SHA-256: 77ae1c4cffa647a8fd533dfa4102e94364989f9e80b9cd131876e9d1005899a2
font_02_sfnt_off00009919.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9919 18632 bytes
SHA-256: 0c6da94061aa06f3897ec4e3cf893835e909886797588b4f947a24dee870a8ce

Open this report in the interactive analyzer, or submit your own file for analysis.