Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fd42b176aee2dfd…

MALICIOUS

PDF

37.1 KB Created: 2021-05-22 12:35:23 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 9da1569930939c4942cf3161f8c15bd8 SHA-1: 455124aa96b39ea09b5e545f72955324b9f706e9 SHA-256: 4fd42b176aee2dfd9052b9f7b36a62d443a2084265d28be10afc964c395e8373
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF document exhibits social engineering tactics, specifically a "ClickFix" attack, by instructing the user to execute a command to bypass macro restrictions and download a "hacked client". The embedded URLs and document body content strongly suggest a lure for downloading potentially malicious software. No scripts were extracted, but the PDF's structure and heuristics indicate a malicious intent to trick the user into downloading a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-hacked-client-1.12-2-game-hack
    • http://agritrade-ukraine.com/images/free-robux-app_GM431946152.pdf
    • http://agritrade-ukraine.com/images/free-roblox-shirts-templates_GM431946152.pdf
    • http://agritrade-ukraine.com/images/coin-master-hack-2021-app-download_GM406889139.pdf
    • http://agritrade-ukraine.com/images/minecraft-free-download-pc_GM479516143.pdf
    • http://agritrade-ukraine.com/images/free-spins-and-coins-for-coin-master_GM406889139.pdf
    • https://youtu
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000033f1.bin
d72973d1213878b4721bb05c5db78687eaa9b66c9a76836293bccab13df35152		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33F1 25936 bytes
font_01_sfnt_off0000701b.bin
63e0cf813ec8bc820137db86bcb3617ef7dd45146c6ac783cccfa5d71b9aece7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x701B 18280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.