Malicious PDF — malware analysis report

Static analysis result for SHA-256 a04c89fa991dbe0c…

MALICIOUS

PDF

43.7 KB Created: 2021-05-19 18:12:59 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 6f7ed3015a4736fdb0ccf5609545cab5 SHA-1: 862b6a5298d6c4de130bdaf9d6be2f1bebfa27f6 SHA-256: a04c89fa991dbe0caf2b61fcab348e5182d128b7aa29eb954865721e2e916458
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document employs social engineering tactics, specifically a 'ClickFix' lure, to trick users into clicking embedded links. The document contains multiple URLs that likely lead to malicious downloads, such as game hacks or cheats, as suggested by the document body and extracted URLs. The ML classifier also flagged this PDF as malicious, increasing confidence in its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9648

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/free-texture-packs-for-minecraft-pe-game-hack PDF link annotation
    • http://ghhs.com.my/images/get-free-spins-for-coin-master_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/coin-master-hacks-reddit_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/download-hack-coin-master-apk_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/hacks-for-roblox-jailbreak_GM431946152.pdfIn PDF document text
    • http://ghhs.com.my/images/minecraft-bedrock-server-hosting-free_GM479516143.pdfIn PDF document text
    • http://ghhs.com.my/images/roblox-free-wings_GM431946152.pdfIn PDF document text
    • http://ghhs.com.my/images/coin-master-hack-tool-v1-9-download-free-pc_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/coin-master-unlimited-spin-hack-mod-apk_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/coin-game_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/roblox-free-online-game_GM431946152.pdfIn PDF document text
    • http://ghhs.com.my/images/free-spins-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/how-to-get-free-spins-on-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/where-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://ghhs.com.my/images/free-spin-in-coin-master_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/coin-master-free-spins-2-5-2021_GM406889139.pdfIn PDF document text
    • http://ghhs.com.my/images/free-robux-master_GM431946152.pdfIn PDF document text
    • http://ghhs.com.my/images/can-u-get-free-robux_GM431946152.pdfIn PDF document text
    • http://ghhs.com.my/images/how-to-get-minecraft-for-free-on-computer_GM479516143.pdfIn PDF document text
    • http://ghhs.com.my/images/free-roblox-adopt-me-pets_GM431946152.pdfIn PDF document text
    • http://ghhs.com.my/images/how-to-get-minecraft-for-free-on-tablet_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000471f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x471F 24484 bytes
SHA-256: 556e218b1e36007bd50afa510be03991196851a7eb9e435ab9dd0309e970a555
font_01_sfnt_off00007e09.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7E09 2940 bytes
SHA-256: eb230542719c96b42e3fd8bb01e35f13ebd5f02629049da3a58e7fd7607bf48a
font_02_sfnt_off00008819.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8819 18384 bytes
SHA-256: 4bd922cb808520f712e6f68915d55ea385c9bd17e049420b207e71ca6d562f93

Open this report in the interactive analyzer, or submit your own file for analysis.