Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8b1b31d3726238a…

MALICIOUS

PDF

42.0 KB Created: 2021-05-10 18:06:20 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 9fbda251e5b4741e83362e22e1b7ec89 SHA-1: 67b1e2cd53a973975c00e5f89657644837ce1031 SHA-256: b8b1b31d3726238a6d12b775fbb453dfc88083fca0877e876019e3814e754d8a
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains lures related to invoices and download buttons, impersonating Microsoft to trick users into clicking malicious links. The primary link, https://netcdn.xyz/app/479516143/minecraft-servers-that-allow-hacks-game-hack, is associated with brand impersonation and credential phishing. While no scripts were explicitly extracted, the ML classifier strongly indicates maliciousness, and the embedded URLs suggest a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 5

  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.xyz/app/479516143/minecraft-servers-that-allow-hacks-game-hack.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-servers-that-allow-hacks-game-hack PDF link annotation
    • https://wandpiraten.de/images/free-coin-master-spins-hack_GM406889139.pdfIn PDF document text
    • https://wandpiraten.de/images/is-minecraft-bedrock-edition-free_GM479516143.pdfIn PDF document text
    • https://wandpiraten.de/images/roblox-hacked-com-2021_GM431946152.pdfIn PDF document text
    • https://wandpiraten.de/images/village-coin_GM406889139.pdfIn PDF document text
    • https://wandpiraten.de/images/robux-premium_GM431946152.pdfIn PDF document text
    • https://wandpiraten.de/images/coin-master-hack-xyz-download_GM406889139.pdfIn PDF document text
    • https://wandpiraten.de/images/coin-master-free-spins-daily_GM406889139.pdfIn PDF document text
    • https://wandpiraten.de/images/free-roblox-accounts-with-robux-that-work-2021_GM431946152.pdfIn PDF document text
    • https://wandpiraten.de/images/how-can-u-get-free-robux_GM431946152.pdfIn PDF document text
    • https://wandpiraten.de/images/coin-master-free-spins-cheats_GM406889139.pdfIn PDF document text
    • https://wandpiraten.de/images/free-coin-master-spins-2021_GM406889139.pdfIn PDF document text
    • https://wandpiraten.de/images/how-to-make-a-private-server-on-roblox-for-free_GM431946152.pdfIn PDF document text
    • https://wandpiraten.de/images/roblox-hack-unlimited-robux_GM431946152.pdfIn PDF document text
    • https://wandpiraten.de/images/free-headless-head-roblox_GM431946152.pdfIn PDF document text
    • https://wandpiraten.de/images/hack-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • https://wandpiraten.de/images/archery-master-3d-coins-hack_GM406889139.pdfIn PDF document text
    • https://wandpiraten.de/images/how-to-get-free-gamepasses-on-roblox_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000049b7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x49B7 24892 bytes
SHA-256: da0372533d69ef945f951ebafd6d9368397bd883c7325686f3b0cf7d2e4b63f4
font_01_sfnt_off000081cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x81CC 18396 bytes
SHA-256: 9f0f6966d160eb4a8d7c12083ffcfddab2fd99c1ceedc8c822370871be153b2a