Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c638dd9e1897091…

MALICIOUS

PDF

37.2 KB Created: 2021-05-21 14:15:28 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a7034792cf60575a959fe865b3d6c764 SHA-1: 58e180f01f6172eed294f4e3ebc75ff89c39e396 SHA-256: 6c638dd9e1897091ae853db9f8ef81fcaf5ebfd9f0ecbde8d3ae6e8295772451
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a fake CAPTCHA lure and embedded URLs, suggesting an attempt to trick the user into clicking a link for a malicious download or exploit. The ML classifier also flagged this PDF as malicious. The presence of external URIs and the fake CAPTCHA heuristic indicate a social engineering attack, likely to lead to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-change-roblox-name-for-free-game-hack
    • http://stpc.it/images/coinmaster-links_GM406889139.pdf
    • http://stpc.it/images/how-to-get-free-robux-without-human-verification-2021_GM431946152.pdf
    • http://stpc.it/images/free-coins-and-spins-link-for-coin-master_GM406889139.pdf
    • http://stpc.it/images/coin-master-free-soins_GM406889139.pdf
    • http://stpc.it/images/500-free-coin-master-spins_GM406889139.pdf
    • https://www.communes.com
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003146.bin
9d92c75a93ebc04f547e32eb8f3071cd8f850871371fd1aa5df5c13377170bca		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3146 27288 bytes
font_01_sfnt_off00006dc7.bin
615cebba423b1c03ae8308d5afe847d6fc39558f9726a846a054a1198e945902		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DC7 19056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.