Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5c4c0dbafd5725b…

MALICIOUS

PDF

41.2 KB Created: 2021-05-21 10:31:31 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 823b14bf627ced684721ec8b3c11b4e4 SHA-1: 666966d8da987994b9ea1c47f929674e0dcd2f49 SHA-256: a5c4c0dbafd5725b36af37b7db12fc857e8b770754130739747516ca21a0cb72
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains multiple embedded URLs and a prominent call-to-action to download a file, disguised as a game hack. The ML classifier also flagged this PDF as malicious. The presence of download lures and external links strongly suggests an attempt to trick the user into downloading and executing a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6895

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-free-apk-download-0.16-0-game-hack PDF link annotation
    • https://e-learningman12jakarta.com/__statics/gudangsoal/files/android-coin-master-3433-apk-hack_GM406889139.pdfIn PDF document text
    • https://e-learningman12jakarta.com/__statics/gudangsoal/files/how-to-hack-roblox-accounts-on-phone_GM431946152.pdfIn PDF document text
    • https://e-learningman12jakarta.com/__statics/gudangsoal/files/in-which-country-pubg-uc-is-cheapest_GM1330123889.pdfIn PDF document text
    • https://e-learningman12jakarta.com/__statics/gudangsoal/files/free-spin-app-for-coin-master_GM406889139.pdfIn PDF document text
    • https://e-learningman12jakarta.com/__statics/gudangsoal/files/mobihack-roblox-hack_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003944.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3944 25472 bytes
SHA-256: 645383ba8b21684e9e670208f083d5f4afe77e588a87dc3d5dcc2fbbd1734b5a
font_01_sfnt_off00007332.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7332 2880 bytes
SHA-256: 10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132
font_02_sfnt_off00007d1d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7D1D 19148 bytes
SHA-256: 3507008b4212a52d69c24dcd83de893790144b2a49dbdb50a534c155473a1d89

Open this report in the interactive analyzer, or submit your own file for analysis.