Malicious PDF — malware analysis report

Static analysis result for SHA-256 28e8e7d3b968c6d5…

MALICIOUS

PDF

36.8 KB Created: 2021-05-24 04:43:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: aeb3d1664454a819e2f359872014d3b6 SHA-1: 8984ff6343ac71bdbe882b923da9a032146a41b0 SHA-256: 28e8e7d3b968c6d557f9331411474ccef2fca98bb2147b86c4cd8da00a86bfd9
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains multiple embedded URLs, including one pointing to a "minecraft-windows-10-edition-free-game-hack". The 'SE_CLICKFIX' heuristic indicates the document likely instructs the user to run a command, a common social engineering tactic. The ML classifier also flagged the PDF as malicious with high confidence. The presence of embedded URLs and the social engineering lure suggest the document is designed to trick users into downloading malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9616

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-windows-10-edition-free-game-hack
    • http://www.gearestauri.it/images/roblox-games-com-free_GM431946152.pdf
    • http://www.gearestauri.it/images/coin-master-hack-ios-reddit_GM406889139.pdf
    • http://www.gearestauri.it/images/free-spins-on-coin-master-hack_GM406889139.pdf
    • http://www.gearestauri.it/images/how-to-get-free-robux-in-2021_GM431946152.pdf
    • http://www.gearestauri.it/images/free-tiktok-followers-no-human-verification-or-survey_GM835599320.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003354.bin
c4e81fa35efd9a7bc35112e31e7a18c7015074f5506192ee75f19dd25783bcdb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3354 25624 bytes
font_01_sfnt_off00006daf.bin
0bf31bed13672a3e0ec3830f17f3a108a804d8b157495bd7936eaddb95c84b8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DAF 18524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.