Malicious PDF — malware analysis report

Static analysis result for SHA-256 03081ba2d5910499…

MALICIOUS

PDF

42.4 KB Created: 2021-05-12 08:43:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 67e647cf0c87d9c6394181243e01b9bf SHA-1: a8283da283cbe95af4223ce8d7d4aea181806736 SHA-256: 03081ba2d59104997cb1ce8a6708360a94cd5771f0cd8a9dfef94b293904ca15
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The document exhibits characteristics of a malicious lure, specifically a fake download for a game and a remote support tool pretext. The presence of an external URI pointing to a download site and the ML classifier's high confidence score indicate malicious intent. The document body contains obfuscated text and URLs that likely lead to further malicious content or malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-java-free-download-game-hack
    • http://zarinnameh.ir/images/daily-coin-master-free-spin-link_GM406889139.pdf
    • http://zarinnameh.ir/images/free-mod-apk-coin-master_GM406889139.pdf
    • http://zarinnameh.ir/images/roblox-scam_GM431946152.pdf
    • http://zarinnameh.ir/images/how-to-get-free-spins-on-coin-master-blogspot_GM406889139.pdf
    • http://zarinnameh.ir/images/coin-master-free-spin-today_GM406889139.pdf
    • http://zarinnameh.ir/images/free-roblox-gear_GM431946152.pdf
    • http://zarinnameh.ir/images/roblox-game-free-download_GM431946152.pdf
    • http://zarinnameh.ir/images/free-robux-generator-no-human-verification-2021_GM431946152.pdf
    • http://zarinnameh.ir/images/free-robux-redeem-codes_GM431946152.pdf
    • http://zarinnameh.ir/images/minecraft-free-download-mac_GM479516143.pdf
    • http://zarinnameh.ir/images/free-spins-coin-master-links-2021_GM406889139.pdf
    • http://zarinnameh.ir/images/op-rewards-free-robux_GM431946152.pdf
    • http://zarinnameh.ir/images/coin-master-hack-apk_GM406889139.pdf
    • http://zarinnameh.ir/images/coin-master-fan_GM406889139.pdf
    • http://zarinnameh.ir/images/roblox-admin-hack_GM431946152.pdf
    • http://zarinnameh.ir/images/free-robux-for-kids_GM431946152.pdf
    • http://zarinnameh.ir/images/coin-master-hack-version-ios_GM406889139.pdf
    • http://zarinnameh.ir/images/free-spin-gratis-coin-master_GM406889139.pdf
    • http://zarinnameh.ir/images/free-roblox-outfits-2021_GM431946152.pdf
    • http://zarinnameh.ir/images/roblox-avatar-free_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000049f3.bin
bf602231e73f0662af830dbb205e3f2609b5169d80134885ae786db56fd4f55b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x49F3 24968 bytes
font_01_sfnt_off0000829e.bin
84d994c9ca9b5ef406cb0cbd16402c282b50396e13120ada9f75f5d4c4d42292		 pdf-font-stream PDF embedded font (sfnt) at offset 0x829E 18572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.