Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce9bb951fb10220e…

MALICIOUS

PDF

23.4 KB Created: 2021-05-15 22:33:20 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29
MD5: e5e97b59a5cb88945206a9b19fd78523 SHA-1: ad661b3309755afbdebd9594bd48bddb38e0e0f1 SHA-256: ce9bb951fb10220e71b9053517e7becff8ada9627649f93b656510883e003039
74 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document was flagged as malicious by an ML classifier. The file routes users through malicious redirector infrastructure. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7899

Heuristics 3

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-hacks-2021-game-hack PDF link annotation

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00003233.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3233 17908 bytes
SHA-256: ff3f87b6083388488f7922131fe00bc58dcfe8625c8e08ac42f4346f7e0d76e2

Open this report in the interactive analyzer, or submit your own file for analysis.