Malicious PDF — malware analysis report

Static analysis result for SHA-256 46137679ee3612a8…

MALICIOUS

PDF

37.5 KB Created: 2021-05-22 04:14:58 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 83bfa8b74313e048a89f63fde50ccc15 SHA-1: e646c044a4f918f091c0469c589cf87e153d8fdc SHA-256: 46137679ee3612a849863b8f78758a5c1ef5449f226b3d725c39bcef0325cbad
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains social engineering lures, including fake invoice and download button prompts, designed to trick the user into clicking embedded malicious links. The primary link, https://netcdn.xyz/app/479516143/minecraft-apk-free-download-0.16-0-game-hack, appears to be a lure for a malicious download. The document body also contains multiple other suspicious URLs pointing to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 5

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-apk-free-download-0.16-0-game-hack
    • https://my-private-intendant.com/images/coin-master-free-spins-app_GM406889139.pdf
    • https://my-private-intendant.com/images/free-daily-spins-coin-master-2021_GM406889139.pdf
    • https://my-private-intendant.com/images/get-2021-free-spins-on-coin-master_GM406889139.pdf
    • https://my-private-intendant.com/images/how-to-make-my-own-coin-master-cards-hack_GM406889139.pdf
    • https://my-private-intendant.com/images/uprobuxcom-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000034b6.bin
e5988d30a2511252b53cf5d916b0f43e7fa3b532b1b74a9af761ae9e98d82a87		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34B6 26460 bytes
font_01_sfnt_off00006e99.bin
143cdc4e5324f1572c7170c4fe37a033449aea51cdd3ec4d91b7fb0cb62456a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E99 19148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.