Malicious PDF — malware analysis report

Static analysis result for SHA-256 03c8863a442eb4ed…

MALICIOUS

PDF

38.1 KB Created: 2021-05-20 20:40:43 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 008a57400203e34406d3c5de0f6b0cbf SHA-1: b96a556f7f7623f0b03042a5da5a089b2825367a SHA-256: 03c8863a442eb4edd7a39a1ac1354241fe9ac4db2b6bfe84e9fabd4d107153d6
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a fake CAPTCHA lure, a common social engineering tactic to trick users into interacting with malicious content. It also embeds multiple URLs, with one pointing to a suspicious domain associated with game hacks, suggesting a phishing or malware distribution attempt. The ML classifier also flagged this PDF as malicious, increasing confidence in its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9407

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-bloxburg-free-money-game-hack
    • http://gamardelli.com.br/images/ckfinder/files/roblox-sign-in-free_GM431946152.pdf
    • http://gamardelli.com.br/images/ckfinder/files/coin-master-20-free-spins-link-today_GM406889139.pdf
    • http://gamardelli.com.br/images/ckfinder/files/coin-master-hack-here_GM406889139.pdf
    • http://gamardelli.com.br/images/ckfinder/files/minecraft-server-free-trial_GM479516143.pdf
    • http://gamardelli.com.br/images/ckfinder/files/minecraft-windows-10-hacked-client_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003315.bin
db6ee896e284409efbff0592aca11eb62cbf99db2cd25c53023ee3f8cc35667c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3315 27032 bytes
font_01_sfnt_off00007247.bin
c72edf7f295ea5b6e4c4fbac7fffd7f1014e7fa72a796dfc48705834c0b32895		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7247 18752 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.