Malicious PDF — malware analysis report

Static analysis result for SHA-256 e37ddbcbe7297e27…

MALICIOUS

PDF

36.5 KB Created: 2021-05-23 06:36:13 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 0640aaa7aa636ea909e1219abbf63548 SHA-1: a93a2157cd0e4cdd47c3e4e5655368f965f0957e SHA-256: e37ddbcbe7297e2748d30b46768c057bd4fb3e85e75a49a2341081fe5a0fc210
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and a DOC BODY that explicitly mentions 'Free Minecraft Alts' and links to a URL associated with game hacks. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the presence of external URIs and the lure text strongly suggest an attempt to trick users into downloading malware, likely through a phishing attachment vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/free-minecraft-alts-game-hack
    • https://www.summerland.com.tw/upload/files/pokemon-go-free-coins-promo-code_GM1094591345.pdf
    • https://www.summerland.com.tw/upload/files/coin-master-hack-no-human-verification-2021_GM406889139.pdf
    • https://www.summerland.com.tw/upload/files/minecraft-online-free-no-download_GM479516143.pdf
    • https://www.summerland.com.tw/upload/files/free-shirt-roblox_GM431946152.pdf
    • https://www.summerland.com.tw/upload/files/how-to-hack-roblox-accounts-on-phone_GM431946152.pdf
    • https://youtu
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000365c.bin
a2b82edb741890384deb4196d3e5eabd660b236143f32e1e89edcb606e5e9255		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x365C 25384 bytes
font_01_sfnt_off00006fa4.bin
4350bb70586d7d356c834f80239bf16b03274066df9e9143be1036ee17eff588		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FA4 17644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.