Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cec6a345ddfee78…

MALICIOUS

PDF

48.2 KB Created: 2021-05-15 00:13:15 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2026-06-04
MD5: 5f53e95335fcd432de4c5b4be96a3322 SHA-1: 7c479eebb1f2c3c9ba13f3aabadbccbad127a4fe SHA-256: 9cec6a345ddfee78a06eef3b5ae07bce344fe60dcfcc4a544b0b73b86b03cf89
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a critical heuristic firing for a game hack redirector lure, pointing to a URL that is also flagged as malicious. The document body, though heavily obfuscated, contains references to the malicious URL and appears to be generated by wkhtmltopdf, a tool sometimes used to create malicious PDFs. The presence of embedded URLs and the nature of the lure suggest an attempt to redirect users to potentially harmful content, likely as part of a phishing or scam campaign.

Machine Learning

  • Nyx PDF Classifier clean score 0.0163

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/no-human-verification-game-hack In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000363a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x363A 41344 bytes
SHA-256: aaa84a621609693d83b655ea871317889a134868e85a27c70fecbe18715b412b
font_01_sfnt_off000091d9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x91D9 2844 bytes
SHA-256: baad2f3f6808f4af03fa9398e38c580c8d846f7f773a947d8cc1f39b2753d31a
font_02_sfnt_off00009b9a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9B9A 18328 bytes
SHA-256: 51e143abff7d47cba3402c6d776d710d5255c0d8709eb27426e755154b5a0611

Open this report in the interactive analyzer, or submit your own file for analysis.