Malicious PDF — malware analysis report

Static analysis result for SHA-256 d39b6af779c73cb4…

MALICIOUS

PDF

35.2 KB Created: 2021-05-22 12:34:25 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: b59f00b5bdf163850892832d4774ea78 SHA-1: 85667f45eac47733a014480ed91c53079f3debf3 SHA-256: d39b6af779c73cb4cbcb04efea62aac9b95ef420fc51694d394c1bbc65a14c8d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and text that lure the user with promises of free Minecraft hosting and generator tools. The primary malicious URL identified is https://netcdn.xyz/app/479516143/free-minecraft-hosting-game-hack, which is likely a landing page for malware distribution. The presence of multiple related URLs suggests a campaign focused on gaming-related lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9508

Heuristics 4

  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/free-minecraft-hosting-game-hack
    • https://e-learning.mtsnegeri1ende.sch.id/__statics/gudangsoal/files/10-free-spins-coin-master_GM406889139.pdf
    • https://e-learning.mtsnegeri1ende.sch.id/__statics/gudangsoal/files/minecraft_GM479516143.pdf
    • https://e-learning.mtsnegeri1ende.sch.id/__statics/gudangsoal/files/coin-master-spin-hack-no-verification_GM406889139.pdf
    • https://e-learning.mtsnegeri1ende.sch.id/__statics/gudangsoal/files/coin-master-hack-mod-apk-free-download_GM406889139.pdf
    • https://e-learning.mtsnegeri1ende.sch.id/__statics/gudangsoal/files/coin-master-daily-free-spins-link-facebook_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031f8.bin
076b475c71c181ffec0a43f6f5ef57de388b89d67e1d7941fad559395e3bf5b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31F8 24128 bytes
font_01_sfnt_off00006907.bin
bf6ae4c6721fa3eadf2b386a9cfec38fcd2e671f0767c49619a657aa344fd652		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6907 17996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.