Malicious PDF — malware analysis report

Static analysis result for SHA-256 e56c12d42f905776…

MALICIOUS

PDF

37.6 KB Created: 2021-05-21 16:00:50 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a4f9c025f22c5259f422353495a6e468 SHA-1: e41d4378f1b45ac2b31e1af1a17c20a140c72b2f SHA-256: e56c12d42f9057768b85e5b69922353ee0cb96709539ec4f65bfc2e7f794e558
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded links and a call-to-action suggesting a lure for free in-game currency. The ML classifier strongly flagged this PDF as malicious, and the presence of multiple suspicious URLs reinforces this assessment. The document's content and structure indicate an attempt to trick the user into visiting a potentially malicious website, possibly to download further malware or engage in a scam.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-get-free-coins-in-minecraft-game-hack
    • http://brokermortgages.com/images/coin-master-hack-mobile_GM406889139.pdf
    • http://brokermortgages.com/images/free-roblox-com_GM431946152.pdf
    • http://brokermortgages.com/images/coin-master-mod-version-free-download-2021_GM406889139.pdf
    • http://brokermortgages.com/images/coin-master-free-coin-hack_GM406889139.pdf
    • http://brokermortgages.com/images/can-you-get-minecraft-windows-10-for-free_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000033fd.bin
70c86182729338fce5c9c81db3255d9b001063645ea1173525a43c8fe13aa35c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33FD 28116 bytes
font_01_sfnt_off00007300.bin
1b721abad2735a8fbe19a03a2bac086d9eea3fd34ae873613b34203f1596ee94		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7300 17872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.