Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa0a25116c1ddc01…

MALICIOUS

PDF

40.3 KB Created: 2021-05-19 13:06:37 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: b21444a543bb45ec5490b08f1a735b98 SHA-1: 6bd77a13ba73eb4addf50f4eb458e8e02a0a154d SHA-256: fa0a25116c1ddc0169a12326dd9d2a18deddc745833cdf5a80a5e524e1770843
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains multiple embedded URLs and a heuristic firing for a browser installation lure, indicating a social engineering attempt to trick the user into downloading a malicious file. The document body and extracted URLs suggest the lure is related to game hacks or cheats, likely leading to credential theft or malware installation. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/tiktok-free-hong-kong-game-hack
    • http://magicmichl.de/images/multiplayer-master-hack-coins_GM406889139.pdf
    • http://magicmichl.de/images/hacks-master-coin_GM406889139.pdf
    • http://magicmichl.de/images/how-to-get-free-robux-on-pc_GM431946152.pdf
    • http://magicmichl.de/images/moonactive-coin-master-free-spins-link_GM406889139.pdf
    • http://magicmichl.de/images/free-2021-robux_GM431946152.pdf
    • http://magicmichl.de/images/free-spins-and-coins-blogspot-coin-master_GM406889139.pdf
    • http://magicmichl.de/images/how-to-get-tiktok-free-fans_GM835599320.pdf
    • http://magicmichl.de/images/free-spins-on-coin-master-2021_GM406889139.pdf
    • http://magicmichl.de/images/minecraft-115-2-hacks_GM479516143.pdf
    • http://magicmichl.de/images/roblox-hack-client_GM431946152.pdf
    • http://magicmichl.de/images/coin-master-hack-account_GM406889139.pdf
    • http://magicmichl.de/images/coin-master-coins-hack_GM406889139.pdf
    • http://magicmichl.de/images/fb-coin-master-free-spins-link_GM406889139.pdf
    • http://magicmichl.de/images/minecraft-noob-vs-pro-vs-hacker_GM479516143.pdf
    • http://magicmichl.de/images/how-to-get-free-robux-without-doing-anything-2021_GM431946152.pdf
    • http://magicmichl.de/images/coin-master-free-pet-food_GM406889139.pdf
    • http://magicmichl.de/images/www-robux-com_GM431946152.pdf
    • http://magicmichl.de/images/rbxfree-com-free-robux_GM431946152.pdf
    • http://magicmichl.de/images/hacks-for-minecraft-windows-10_GM479516143.pdf
    • http://magicmichl.de/images/classic-minecraft-net-hacks_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000045d9.bin
127c17f9fedf6329257f02e43a0193aff5d8a1169be132d8ac6118cfd9ff5015		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x45D9 23920 bytes
font_01_sfnt_off00007c97.bin
dfd8b5f3a328d374074f034a5d4f42f40b7b92c78a92880825149ce4fd58007d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C97 17744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.