Malicious PDF — malware analysis report

Static analysis result for SHA-256 5121b637ab997268…

MALICIOUS

PDF

38.6 KB Created: 2021-05-25 10:34:20 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 2622848409c24acdb9bdc63889c9c16d SHA-1: 8f7b85ef86a25bb354dacc3a298fe093ac42a98c SHA-256: 5121b637ab997268f8a2973fdb38a7d63502615cb09d41573c6df3866e7a2ba5
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains lures for game hacks and a remote support tool, directing users to download further malicious content from provided URLs. The ML classifier also flagged this PDF as malicious. The embedded URLs and the IP address are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 5

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-tiktok-hacks-game-hack
    • http://103.68.2.77/__statics/gudangsoal/files/lazyblox-com-free-robux_GM431946152.pdf
    • http://103.68.2.77/__statics/gudangsoal/files/pubg-uc-meaning_GM1330123889.pdf
    • http://103.68.2.77/__statics/gudangsoal/files/funbloxxyz-free-robux_GM431946152.pdf
    • http://103.68.2.77/__statics/gudangsoal/files/how-to-get-free-robux-no-verification_GM431946152.pdf
    • http://103.68.2.77/__statics/gudangsoal/files/free-2021-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003384.bin
50053fbab9553c67c5111ff3cff96575f0a0b6554a5d3fdf5881b82fc2e4a653		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3384 25176 bytes
font_01_sfnt_off00006c61.bin
801f6fa60decd1add2f223f91580103c35e150c924465f86a7a572b3e00674f9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C61 3128 bytes
font_02_sfnt_off000076a0.bin
d5bc1f00134bcbca17edb073a38cf34a4b8369625bcb3a8e6d2c090e6dde0fec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76A0 17880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.