Malicious PDF — malware analysis report

Static analysis result for SHA-256 59ffeacb8c68a624…

MALICIOUS

PDF

37.0 KB Created: 2021-05-20 20:04:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 88c7662e5a49e54afbc83b35899a39d6 SHA-1: 7ca0567aca64c385b0d8880a78b7f450a3a6c07a SHA-256: 59ffeacb8c68a624324df0db4bb549f004806b2ddb8e00c02d6484224784cee4
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1203 Exploitation for Client Execution

The PDF document contains heuristics indicating it is malicious and attempts to lure the user into executing commands via the clipboard. It also presents a visual download button, suggesting a phishing or scam attempt. The embedded URL and other linked URLs likely lead to further malicious content or downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-make-your-own-minecraft-server-for-free-game-hack
    • http://elearning.mtsn4sda.sch.id/__statics/gudangsoal/files/who-to-get-free-robux_GM431946152.pdf
    • http://elearning.mtsn4sda.sch.id/__statics/gudangsoal/files/free-100-robux_GM431946152.pdf
    • http://elearning.mtsn4sda.sch.id/__statics/gudangsoal/files/roblox-games-free_GM431946152.pdf
    • http://elearning.mtsn4sda.sch.id/__statics/gudangsoal/files/free-robux-no-human-verification-or-survey_GM431946152.pdf
    • http://elearning.mtsn4sda.sch.id/__statics/gudangsoal/files/free-spins-for-coin-master-app_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003579.bin
b5e04fd5ee6dca516d641ae45bf7fc3646799082552266f6f0ef5a9ee90c22e7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3579 25168 bytes
font_01_sfnt_off00006eee.bin
43abef8b834297908dc205ac191a436a457546b124377fb637ef7db2584f74fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EEE 18460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.