Malicious PDF — malware analysis report

Static analysis result for SHA-256 65a836a02a30adb9…

MALICIOUS

PDF

46.0 KB Created: 2021-05-23 04:07:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 45ef1ef939169e7c65288b3bce7199f2 SHA-1: 76f214c9a3716ab4491b810c3344da726f516e09 SHA-256: 65a836a02a30adb9158a0b1e620351e5be7153e5ded1e9bf53769bc9e12d5724
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a lure for a free game download, which is a common tactic for distributing malware or engaging in scams. The presence of a remote support lure, combined with external URLs pointing to game-related downloads, strongly suggests an attempt to trick the user into installing potentially unwanted or malicious software. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7826

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/get-minecraft-for-free-game-hack
    • https://elearning.sman5pekanbaru.sch.id/__statics/gudangsoal/files/minecraft-ps4-free_GM479516143.pdf
    • https://elearning.sman5pekanbaru.sch.id/__statics/gudangsoal/files/how-to-download-minecraft-for-free-on-iphone_GM479516143.pdf
    • https://elearning.sman5pekanbaru.sch.id/__statics/gudangsoal/files/tiktok-for-free_GM835599320.pdf
    • https://elearning.sman5pekanbaru.sch.id/__statics/gudangsoal/files/roblox-password-hacker_GM431946152.pdf
    • https://elearning.sman5pekanbaru.sch.id/__statics/gudangsoal/files/coin-master-free-spins-daily_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000034af.bin
2daff1726acd93e33e906e70d71518295e9a89127cb6d8d5ba6c1beddc96ce74		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34AF 25004 bytes
font_01_sfnt_off00006c8b.bin
218d53b68bdddb064f6fba4be822d5b3725ed1cef1a3b42796a8dd99c4a62f4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C8B 7936 bytes
font_02_sfnt_off000085b4.bin
ab6320ab342704d2c5943abfba82ed4837bf2da871c91621741fd4cfd15c6ed5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85B4 4232 bytes
font_03_sfnt_off00009440.bin
35f99bfb73b52248bbdf58e6e807942ea3200a6c0759a8418b864f3a1fae0a50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9440 17712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.