Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c3d79b14fe41986…

MALICIOUS

PDF

42.5 KB Created: 2021-05-19 01:30:16 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: c8f854586db3761b89d328b0d196464c SHA-1: a06580e33a7d2363bbc188d7cdc303c333546f58 SHA-256: 2c3d79b14fe419860c59a06730eca297b06e2d411b5e133bd2bf15d35a3ed875
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains embedded URLs and a heuristic firing for a visual download button, suggesting a lure to download external content. The presence of an MFA lure heuristic indicates a potential credential harvesting attempt or abuse of multi-factor authentication. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it is designed to trick users into executing malicious files or providing sensitive information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/1330123889/pubg-uc-esp-hack-game-hack
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/free-robux-no-verification_GM431946152.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/do-robux-generators-work_GM431946152.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/download-minecraft-free-hiapphere_GM479516143.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/how-to-get-minecraft-bedrock-edition-for-free_GM479516143.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/coin-master-ios-hack-download_GM406889139.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/how-to-get-free-coins-in-mcpe-master_GM406889139.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/roblox-sued_GM431946152.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/coin-master-heaven-links_GM406889139.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/buy-robux-free_GM431946152.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/roblox-bux-free_GM431946152.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/free-generator_GM431946152.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/how-to-get-free-gold-cards-on-coin-master_GM406889139.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/coin-master-hack-without-verification-code_GM406889139.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/coin-master-free-spins-hack-but-no-surveys_GM406889139.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-no-verification-2021_GM406889139.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/how-to-get-free-hats-on-roblox_GM431946152.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/roblox-free-exploits_GM431946152.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/mosttechs-coin-master-free-spins_GM406889139.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-without-offers_GM431946152.pdf
    • https://learning1.misbidayatulhidayah3medan.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-2021_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004a55.bin
f76cc74c3bcf1ec73969180259d352e123f1e56bc1c35fda3d7dbebef6b56dc7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A55 25384 bytes
font_01_sfnt_off000082f6.bin
6ba17287ece0bd6e43188543db859312c9d6f7bb34112db36ebcb97f73d77a47		 pdf-font-stream PDF embedded font (sfnt) at offset 0x82F6 18472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.