Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d65ad8e2e4a63fe…

MALICIOUS

PDF

39.7 KB Created: 2021-05-20 16:01:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 3fc3261bbde8f29e55f1ed3076eed1bf SHA-1: 94e2fe2d8ca8ef058ab5bb4322329c25603899c3 SHA-256: 1d65ad8e2e4a63fe76f37a55ea7be68e72c8c598e86e86d2178b6b81e15ef948
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The document presents a fake CAPTCHA and a download button to trick the user into clicking a malicious link. The embedded URLs and document body content strongly suggest a lure for free in-game currency or items, a common social engineering tactic. No scripts were extracted, limiting the analysis to the document's visual and textual lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7743

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/how-to-get-free-spins-and-coins-on-coin-master-game-hack
    • https://mountainholidaytreks.com/userfiles/files/coin-master-unlimited-free-spins_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/how-to-get-free-robux-without-verifying_GM431946152.pdf
    • https://mountainholidaytreks.com/userfiles/files/game-coin-master-hack_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/coin-master-blogspot-links_GM406889139.pdf
    • https://mountainholidaytreks.com/userfiles/files/pokemon-go-windows-free-download_GM1094591345.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000351e.bin
a4045fc1614df249a30c7773db95e2f280dba8beb21408113b5e898337334c31		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x351E 25588 bytes
font_01_sfnt_off00006fcf.bin
709bf95dbf65b0df8befcda2531d8b15ff768d9fedb280bcb80e491eb7260bb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FCF 2940 bytes
font_02_sfnt_off000079e0.bin
c3eeb8e5bbecb0a66d0dccf890560b2772aaf25cfcf2943a976e8e45774626aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79E0 18224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.