Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ad5d850920a57af…

MALICIOUS

PDF

40.9 KB Created: 2021-05-21 11:57:39 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 69e092d0abd4e6b212b42c16221bb076 SHA-1: 1e9a709eba3e2861546d4946610d1c6e60e8249f SHA-256: 4ad5d850920a57afeb98eed285a9e0b3b8a32e701b6350fb3a0e14bf1a6d304a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains multiple embedded URLs and a call-to-action button, suggesting it is designed to trick users into downloading further malicious content. The presence of a remote-support tool lure heuristic, combined with the ML classifier flagging it as malicious, indicates a high likelihood of malicious intent. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7499

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/free-minecraft-mods-for-ps4-game-hack
    • https://www.elearning.man1bukittinggi.sch.id/__statics/gudangsoal/files/coin-master-hack-cheat-engine_GM406889139.pdf
    • https://elearning.man1bukittinggi.sch.id/__statics/gudangsoal/files/robux-free-robux_GM431946152.pdf
    • https://www.elearning.man1bukittinggi.sch.id/__statics/gudangsoal/files/coin-master-rewards-free-spins_GM406889139.pdf
    • https://www.elearning.man1bukittinggi.sch.id/__statics/gudangsoal/files/robux-hack-free-robux_GM431946152.pdf
    • https://elearning.man1bukittinggi.sch.id/__statics/gudangsoal/files/coin-master-free-spins-today-39_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000363a.bin
14689a477a840c0aab1e832c33dc5b45ac11c8099cc2ec89c205163d608d3d02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x363A 29476 bytes
font_01_sfnt_off00007452.bin
47be8c1e362596fa5bd4ed29acf07edad94632e286ba7a52c809fd696d683e5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7452 3132 bytes
font_02_sfnt_off00007f26.bin
afa4c211481c2918fc981f85699f534e91f71a3c97d40d186225a72223318956		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F26 18100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.