Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1f9b8acf1322d2e…

MALICIOUS

PDF

41.9 KB Created: 2021-05-30 07:19:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: aa450025d84bdafa1a8896c9e51982d3 SHA-1: 7be28182b22e5f0a737b6024c5fb77bc2ab85add SHA-256: e1f9b8acf1322d2e5b068d9358a5b7fd22202c8a58a55527771f27a45e9cfecf
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and a visual download lure, attempting to trick users into downloading malicious content by offering free game accounts and in-game currency. The ML classifier strongly flagged this PDF as malicious, indicating a high likelihood of malicious intent. While no scripts were explicitly extracted, the presence of external URIs and the lure suggest a phishing or downloader attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9908

Heuristics 4

  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/free-minecraft-java-account-game-hack
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/is-minecraft-java-edition-free_GM479516143.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/get-tiktok-followers-free_GM835599320.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/free-robux-no-human-verification-or-survey-or-download_GM431946152.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/free-tiktok-accounts-and-passwords_GM835599320.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/minecraft-pocket-edition-free_GM479516143.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/minecraft-pe-free_GM479516143.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/free-robux-script_GM431946152.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/how-to-get-free-tiktok-fans_GM835599320.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/free-tiktok-fans-and-likes_GM835599320.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/free-roblox-hack_GM431946152.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/coin-master-free-spins-link-today_GM406889139.pdf
    • https://multicarlo-bhp.pl/wp-content/uploads/fsqm-files/free-robux-generator-no-survey_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003d5a.bin
df9501f5dc2043520d7f07c8726540d04b223fed2bba9c5471777bfc813aff87		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3D5A 25976 bytes
font_01_sfnt_off00007888.bin
10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7888 2880 bytes
font_02_sfnt_off00008272.bin
ad2a0848393495eee102bd1b36be1bc15cd9afc8a8e02692ab65cad6db8d4212		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8272 18128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.