Malicious PDF — malware analysis report

Static analysis result for SHA-256 59a27405bb5dea22…

MALICIOUS

PDF

36.6 KB Created: 2021-05-25 09:02:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 6bb4a6a43823e10864b456a236a991ec SHA-1: e6f8d7f916e6bc8bd5d1a4c546b58595c08054c2 SHA-256: 59a27405bb5dea221b54e9cb7148d4d3880ef33397c6b27c389432f2729b7bd1
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains lures for free game hacks and generators, directing users to external URLs for downloads. The presence of embedded URLs and the 'SE_CLIPBOARD_COMMAND_LURE' heuristic indicate an attempt to trick the user into executing malicious content, likely a second-stage payload. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/play-minecraft-online-free-game-hack
    • https://gzog.pl/images/minecraft-world-free-download_GM479516143.pdf
    • https://gzog.pl/images/coin-master-hack-tool-v1-9-apk_GM406889139.pdf
    • https://gzog.pl/images/rbxoffers-com-free-robux_GM431946152.pdf
    • http://gzog.pl/images/minecraft-bedrock-free_GM479516143.pdf
    • https://gzog.pl/images/cheats-to-get-free-spins-on-coin-master_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000034df.bin
6c7f34076fbcc34778c526f3d8509d04eb7eecd85adc87f68954d12ae0945cb6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34DF 25692 bytes
font_01_sfnt_off00006efc.bin
e953997c623ab1bd3546e7b188ca680e36d1015a1cf7f46efbbf98890a47325d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EFC 17976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.