Malicious PDF — malware analysis report

Static analysis result for SHA-256 f64ef51a10b807b5…

MALICIOUS

PDF

45.5 KB Created: 2021-05-16 01:22:25 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a7ef1c8aee03747bd9887ddaea4e50a2 SHA-1: c9615367b7a128b8563ac5ba0b326646bb30b9bd SHA-256: f64ef51a10b807b5f8b6f0037af6cab179d81dcfb22de155ae61bdaccd1ca98f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded URLs and a visual call-to-action button, strongly suggesting a phishing or scam attempt. The ML classifier also flagged this PDF as malicious. The document body, though partially corrupted, contains text related to free spins and game hacks, aligning with the embedded URLs that promise similar content. No scripts were extracted, but the presence of multiple malicious URLs indicates a likely attempt to redirect users to exploit kits or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9507

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/how-to-get-daily-free-spins-on-coin-master-game-hack
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/minecraft-that-you-can-play-for-free_GM479516143.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/coin-master-hack-pro-gamers_GM406889139.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/coin-master-34-4-free-download_GM406889139.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/apps-that-give-you-free-robux_GM431946152.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/coin-master-gift-hack_GM406889139.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/daily-coin-master-free-spin-link_GM406889139.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/javascript-free-robux_GM431946152.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/coin-master-daily-free-spins_GM406889139.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/roblox-play-now-for-free_GM431946152.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/free-robux-without-offers_GM431946152.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/today-coin-master-spin-free_GM406889139.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/claimrbx-free-robux_GM431946152.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/roblox-bux-free_GM431946152.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/free-minecraft-addons_GM479516143.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/free-spins-and-coins-for-coin-master-game_GM406889139.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/aristois-minecraft-hack_GM479516143.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/coin-master-hack-spins_GM406889139.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/coin-master-hack-game-download-mod-apk_GM406889139.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/how-to-hack-roblox-accounts-on-phone-2021_GM431946152.pdf
    • https://surpetgarut-tmcollection.com/ckfinder/userfiles/files/apps-to-get-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004d53.bin
466425a8987f910d3e3a33d71f684134ebc97c9e62837b8d5b50f8805369c3a1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4D53 24244 bytes
font_01_sfnt_off000084e9.bin
3fb127b764b9d10f5525bc4de5ec8316de704409ccb0cf21cff3ad8a30d11676		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84E9 2840 bytes
font_02_sfnt_off00008e9b.bin
39c175e238be4f7921b046c78c06fe9a00b09eca58e402890515fe03c626abe6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E9B 18472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.