Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b7ef73ed49468de…

MALICIOUS

PDF

35.4 KB Created: 2021-05-25 07:32:46 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: b2de948b966b816071451a71c8730d7d SHA-1: 2376e8a83c9cbb2504be978fb528e89e01314ba2 SHA-256: 4b7ef73ed49468de549f04b8a80c995632170592a6159653d7144b9e3c6a3bf0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF contains a fake CAPTCHA and social engineering lures designed to trick the user into clicking a download link or executing a command. The embedded URL, https://netcdn.xyz/app/479516143/minecraft-com-free-game-hack, is likely the destination for the malicious payload. The document's structure and heuristics strongly indicate a ClickFix attack pattern.

Machine Learning

  • Nyx PDF Classifier clean score 0.0718

Heuristics 6

  • Fake CAPTCHA with command-running instructions critical SE_FAKE_CAPTCHA_CLICKFIX
    Document combines fake CAPTCHA or human-verification language with instructions to paste or run a command — a high-confidence ClickFix pattern
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-com-free-game-hack PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000307c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x307C 25408 bytes
SHA-256: 8e3696b9b0e24fa6d24311bf5417e832ec10cd6a59c8569a91ef21f305dbf6e9
font_01_sfnt_off00006a82.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6A82 17968 bytes
SHA-256: 5bf46a6d08d3ffa684fcf656b6008ff7f2ef06acfe8c47aedee45889ac3be72f