Malicious PDF — malware analysis report

Static analysis result for SHA-256 66474579d10cc8f8…

MALICIOUS

PDF

46.9 KB Created: 2021-05-23 21:41:41 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: f688e71cbacd3b993ff5a0d74fe6aa11 SHA-1: d51ab158c898739a0f805a116decc8035b884110 SHA-256: 66474579d10cc8f89298866d872aec63ed6ec6a6892d32d6ef9e4f11db65280b
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains lures for free game items and includes multiple embedded URLs pointing to suspicious domains, likely intended to deliver malware. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the downloaded content may be encrypted, a common tactic to evade security scans. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7723

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/free-minecraft-account-and-password-game-hack
    • http://chocolats-boccardi-carcassonne.com/images/free-robux-no-verification-or-survey-2021_GM431946152.pdf
    • http://chocolats-boccardi-carcassonne.com/images/free-spins-coin-master-blogspot_GM406889139.pdf
    • http://chocolats-boccardi-carcassonne.com/images/coin-master-35-2-hack_GM406889139.pdf
    • http://chocolats-boccardi-carcassonne.com/images/coin-master-hack-without-verification-2021_GM406889139.pdf
    • http://chocolats-boccardi-carcassonne.com/images/how-to-hack-roblox-passwords_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003579.bin
e5315aeba393ebdfde1368fd0b9f36e5d7a459573a857d44c31eb417129a9351		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3579 25160 bytes
font_01_sfnt_off00006e2e.bin
218d53b68bdddb064f6fba4be822d5b3725ed1cef1a3b42796a8dd99c4a62f4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E2E 7936 bytes
font_02_sfnt_off00008757.bin
ab6320ab342704d2c5943abfba82ed4837bf2da871c91621741fd4cfd15c6ed5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8757 4232 bytes
font_03_sfnt_off000095e3.bin
071cc331fbe0dfc1a6c0e7c1f1383f87707aabc4deba919dc9b38235f2b9b975		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95E3 18344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.