Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cdf53f86b808020…

MALICIOUS

PDF

34.8 KB Created: 2021-05-20 21:57:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 0bf54b2af1d08c50139dc9576c91a695 SHA-1: 717f7962ba062aa987aac4cfdce534c715814e65 SHA-256: 9cdf53f86b808020d74abe83748dacfc6c4f0e6bd1f30356827b1e91e18c3a2b
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains heuristics indicating it is malicious and attempts to lure the user with a download button and a browser extension installation lure. The document body and embedded URLs promote free game currency or cheats, directing users to external sites that likely host malware. No scripts were extracted, but the overall pattern suggests a downloader or redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9492

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/tiktok-comments-free-game-hack
    • http://d-cision.nl/images/free-robux-without-downloading-anything_GM431946152.pdf
    • http://d-cision.nl/images/roblox-com-free-robux_GM431946152.pdf
    • http://d-cision.nl/images/how-many-free-spin-links-is-there-for-coin-master_GM406889139.pdf
    • http://d-cision.nl/images/games-that-give-you-free-robux_GM431946152.pdf
    • http://d-cision.nl/images/free-robux-script_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003103.bin
b5501096700a39bc1559c45cc59c6ec7c6e8304a10a209537666ed2333ae7a45		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3103 24224 bytes
font_01_sfnt_off00006842.bin
7d11e26bc137394c80b9b8e9d0677cc530b42dd3bf172d18943544e921c1513e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6842 17716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.