Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d4301d9603df1a0…

MALICIOUS

PDF

36.0 KB Created: 2021-05-22 10:07:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: ea1a297c0b5ed3c1fe1b0a55efe3f59f SHA-1: 09a46017316dddbd71f8a6d055fb55578d24aeb1 SHA-256: 2d4301d9603df1a00ee3c6eb03d2e07f36c58384f648f2da3e5c95877c60ebe5
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains lures for downloading a 'Minecraft Fly Hack' and claims to offer remote support, indicating a social engineering attack. It embeds multiple URLs pointing to potentially malicious content, including one directly related to the 'Minecraft Fly Hack' lure. While no scripts were explicitly extracted, the ML classifier and the presence of external URIs strongly suggest malicious intent, likely to deliver a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9492

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-fly-hack-game-hack
    • http://uctaren.eu/images/daily-spin-and-coin_GM406889139.pdf
    • http://uctaren.eu/images/coin-master-daily-free-spin-and-coin_GM406889139.pdf
    • http://uctaren.eu/images/free-robux-com-2021_GM431946152.pdf
    • http://uctaren.eu/images/tiktok-free-view-jio-phone_GM835599320.pdf
    • http://uctaren.eu/images/how-to-get-free-outfits-on-roblox_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003351.bin
0b4eb2aa53609e8ef454b2b7a9bdc01c6e937adb823aa8611945b3bdcb868ef9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3351 25192 bytes
font_01_sfnt_off00006c8a.bin
06651707645ad1f4ebda8b3f746ca430a0b9618d46277a77061ba05985c34688		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C8A 17992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.