Malicious PDF — malware analysis report

Static analysis result for SHA-256 e27f9dcab80e1bdc…

MALICIOUS

PDF

36.9 KB Created: 2021-05-22 14:37:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: ac22c804f44ca50ac3af6b7fa366d804 SHA-1: bc5f94acdeccc7d04587916c759807618f2177f9 SHA-256: e27f9dcab80e1bdc4a4a29d786c6ef3aa2febaf5707c52ac83a911f56a5319fd
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains multiple embedded URLs and a prominent 'CLICK HERE TO ACCESS MINECRAFT GENERATOR' call-to-action, suggesting a lure for users to download potentially malicious content. The ML classifier also flagged the PDF with high confidence. The presence of multiple links to 'free apk' and 'hack' related content reinforces the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-pe-free-apk-game-hack
    • http://www.pustakaekspresi.com/new/public/ckfinder/userfiles/files/free-robux-instantly_GM431946152.pdf
    • http://www.pustakaekspresi.com/new/public/ckfinder/userfiles/files/coin-master-free-coins-and-spins-blogspot_GM406889139.pdf
    • http://www.pustakaekspresi.com/new/public/ckfinder/userfiles/files/coin-master-hack-xyz-download-free_GM406889139.pdf
    • http://www.pustakaekspresi.com/new/public/ckfinder/userfiles/files/promo-codes-to-get-free-robux_GM431946152.pdf
    • http://www.pustakaekspresi.com/new/public/ckfinder/userfiles/files/how-to-get-free-robux-on-phone_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000355d.bin
55680e3c56542f7ce768a3e5de8353a08350c0804f7aa97a46995e39f0731b13		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x355D 25748 bytes
font_01_sfnt_off00007008.bin
35104518e66c8492531759eb706d86fdb36771bd3dd1e1625049e5bd6be6693d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7008 18068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.