Malicious PDF — malware analysis report

Static analysis result for SHA-256 261e6ba3ee10bf48…

MALICIOUS

PDF

39.9 KB Created: 2021-05-23 02:51:34 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 338a7280257f66f044bb22c54d4ec22a SHA-1: 2255216d5487add65379c8649cb0f3c96cfba1bc SHA-256: 261e6ba3ee10bf48b625fb70aa816bae8df67bcc570bf7e1fc0df3a38a36e246
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains lures related to "Minecraft Pe Hacks" and "CLICK HERE TO ACCESS MINECRAFT GENERATOR", along with multiple embedded URLs pointing to potentially malicious content. The presence of a remote support tool lure and a high ML classifier score further indicate malicious intent, likely to trick the user into downloading and executing a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-pe-hacks-game-hack
    • https://dripalia.com/images/minecraft-dungeons-free_GM479516143.pdf
    • https://dripalia.com/images/coin-master-links-for-free-spins-2021_GM406889139.pdf
    • https://dripalia.com/images/minecraft-free-ios_GM479516143.pdf
    • https://dripalia.com/images/how-to-get-free-robux-for-free_GM431946152.pdf
    • https://dripalia.com/images/coin-master-free-spins-link-blogspot_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003055.bin
6a92b8c5347ec6468bd710b02f545b78fbb63a5ff03b52c03f982934933dcff2		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3055 29224 bytes
font_01_sfnt_off000071f4.bin
eb230542719c96b42e3fd8bb01e35f13ebd5f02629049da3a58e7fd7607bf48a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71F4 2940 bytes
font_02_sfnt_off00007c04.bin
fda2b16deba9a1c4b3626a8ad3479d009d1f56903d8778c05817a0c1608b8b5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C04 17892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.