Malicious PDF — malware analysis report

Static analysis result for SHA-256 9da8146fdb6157a3…

MALICIOUS

PDF

36.6 KB Created: 2021-05-23 09:10:24 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 0715c89bacffad85f875a5a30650c6f3 SHA-1: 526c4c4097183b861ecfd70d3cf7b292f26fd538 SHA-256: 9da8146fdb6157a316f82092418562fcb037bc457bb97c0b24ae8a6a71600386
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains multiple embedded URLs and visual lures such as a download button and a QR code, all pointing to external sites. These elements are designed to trick the user into downloading potentially malicious applications, as indicated by the ML classifier and the presence of suspicious URLs. The document body text and heuristics suggest a lure for downloading a Minecraft APK.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-apk-free-download-game-hack PDF link annotation
    • https://tanahlot.id/assets/CKImages/files/free-roblox-avatar_GM431946152.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/free-robux-that-actually-works_GM431946152.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/coin-master-rewards-2021_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/minecraft-games-free-download_GM479516143.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/how-to-get-free-stuff-on-roblox-2021_GM431946152.pdfIn PDF document text
    • https://discord.ggIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003467.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3467 24528 bytes
SHA-256: c62e9a0f75fbb1041d77a24e78628fbb02640c935e275200cc0f28e80e883c92
font_01_sfnt_off00006cbc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6CBC 18636 bytes
SHA-256: 460052af6c2621f53863fdd0e184641c8149664fef9b3bc68df6f3fcb4cff320

Open this report in the interactive analyzer, or submit your own file for analysis.