Malicious PDF — malware analysis report

Static analysis result for SHA-256 e823220a7e8fb4d0…

MALICIOUS

PDF

46.3 KB Created: 2021-06-03 22:00:08 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 0a890225e16b128ad1278ada4ff4b668 SHA-1: 9df92f53e6a6c62fc16a0964c4d58be42b46d429 SHA-256: e823220a7e8fb4d090a64e12a3c1ce8edeb52c0ec6b2d93406f4aa23a655e10a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains embedded URLs and heuristics indicate brand impersonation for credential phishing, specifically impersonating Microsoft. The document body, though heavily obfuscated, contains references to game-related content and numerous URLs pointing to external resources, suggesting a lure to download or access malicious content. The primary attack pattern involves directing users to external sites that likely host malware or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9748

Heuristics 4

  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.online/app/479516143/minecraft-noob-vs-pro-vs-hacker-game-hack.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/479516143/minecraft-noob-vs-pro-vs-hacker-game-hack PDF link annotation
    • http://www.js100.com/uploads/ckeditor/files/oginject-co_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/coin-master-free-soins_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/minecraft-apk-free-download-016-0_GM479516143.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/daily-coin-master-free-spins_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/coin-master-hack-2021-free_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/free-coins-and-free-spins-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/minecraft-hacks-xbox_GM479516143.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/coin-master-free-spins-and-coins-2021_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/roblox-phantom-forces-hack_GM431946152.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/hack-card-collection-coin-master_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/how-to-hack-people-on-roblox_GM431946152.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/games-that-give-you-free-robux_GM431946152.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/websites-for-robux_GM431946152.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/20210-free-spin-links-for-coin-master_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/is-it-possible-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/get-free-robux-no-human-verification_GM431946152.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/coin-master-golden-card-hack_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/coin-master-free-spins-link-cheat_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/coin-master-spin-link-today_GM406889139.pdfIn PDF document text
    • http://www.js100.com/uploads/ckeditor/files/free-robux-without-human-verification-real_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x51E4 24460 bytes
SHA-256: 1c5c84fd0d94d7b7a4648270cda2c99c1857b2cdae50f5cf6e1fc1dc30f9c7a1
font_01_sfnt_off0000885c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x885C 2840 bytes
SHA-256: 3fb127b764b9d10f5525bc4de5ec8316de704409ccb0cf21cff3ad8a30d11676
font_02_sfnt_off0000920d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x920D 18328 bytes
SHA-256: a3a1f77715833b119a7491346a779344ae6dab601cd7000bc388e6bf0c64b7ed

Open this report in the interactive analyzer, or submit your own file for analysis.