Malicious PDF — malware analysis report

Static analysis result for SHA-256 452ff187c4e53d38…

MALICIOUS

PDF

36.0 KB Created: 2021-05-23 03:18:26 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 8d125d8526a5c6b1a849696a4e0d2aec SHA-1: e57c4a68ad2ceda8b24c891c847d304d8c8df64c SHA-256: 452ff187c4e53d38b3b0a73920f5d5833fc5cea68c0fd9a5a3e2016d963ebc98
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains a fake CAPTCHA lure, designed to trick the user into interacting with a malicious link. This is supported by the 'SE_FAKE_CAPTCHA' heuristic firing. The document also embeds multiple URLs, one of which is directly associated with the fake CAPTCHA prompt, suggesting a download or redirection to a malicious payload. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9492

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/is-minecraft-bedrock-edition-free-game-hack
    • http://malarvadibalasangam.org/ckfinder/userfiles/files/best-free-coin-master-spins_GM406889139.pdf
    • http://malarvadibalasangam.org/ckfinder/userfiles/files/free-coins-for-coin-master_GM406889139.pdf
    • http://malarvadibalasangam.org/ckfinder/userfiles/files/free-games-like-minecraft_GM479516143.pdf
    • http://malarvadibalasangam.org/ckfinder/userfiles/files/tiktok-free-movies_GM835599320.pdf
    • http://malarvadibalasangam.org/ckfinder/userfiles/files/minecraft-java-hacks_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000331e.bin
02d92525cfc072b61ba0034b5b0f1797117219ef0914a63a452a4a13238154b0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x331E 24876 bytes
font_01_sfnt_off00006b60.bin
c81a05c902e5b7336ce3afe221fe42e1a1247b419ae57a3dec90c8cc8a9629c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B60 18268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.