Malicious PDF — malware analysis report

Static analysis result for SHA-256 7bdf6a9a0d636318…

MALICIOUS

PDF

44.3 KB Created: 2021-05-13 08:45:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: ccda2fc56e5fc7171612ae6b173e6e03 SHA-1: 6351acc0672587b14d07973ee586cf1304549438 SHA-256: 7bdf6a9a0d636318b19c5634df5e4e778af421e49a3ae2ae70bc22c5c986243a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The document presents itself as a download for a game, likely Minecraft, and contains numerous URLs pointing to similar download lures. The 'ClickFix' heuristic indicates the document attempts to trick the user into executing commands, suggesting a social engineering tactic to bypass security measures and download a payload. While no scripts were directly extracted, the embedded URLs and the nature of the 'ClickFix' heuristic strongly suggest the PDF is designed to facilitate the download and execution of malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-apk-download-free-1.1-0.55-game-hack
    • https://bgescc.com/images/how-to-hack-robux_GM431946152.pdf
    • https://bgescc.com/images/coin-master-coin-hack_GM406889139.pdf
    • https://bgescc.com/images/claim-free-spins-coin-master_GM406889139.pdf
    • https://bgescc.com/images/free-robux-hack-us_GM431946152.pdf
    • https://bgescc.com/images/how-to-get-free-robux-no-human-verification-2021_GM431946152.pdf
    • https://bgescc.com/images/202100-free-spins-coin-master_GM406889139.pdf
    • https://bgescc.com/images/free-robux-pins_GM431946152.pdf
    • https://bgescc.com/images/coin-master-free-spin-whatsapp-group-link_GM406889139.pdf
    • https://bgescc.com/images/free-spin-coin-master-online_GM406889139.pdf
    • https://bgescc.com/images/coin-master-apk-hack-35-8_GM406889139.pdf
    • https://bgescc.com/images/robux-win_GM431946152.pdf
    • https://bgescc.com/images/how-to-get-free-robux-in-2021_GM431946152.pdf
    • https://bgescc.com/images/roblox-person_GM431946152.pdf
    • https://bgescc.com/images/free-robux-com-2021_GM431946152.pdf
    • https://bgescc.com/images/minecraft-win-10-free_GM479516143.pdf
    • https://bgescc.com/images/how-to-make-free-robux_GM431946152.pdf
    • https://bgescc.com/images/robux-free-gift-card-org-hack_GM431946152.pdf
    • https://bgescc.com/images/free-robux-codes-generator_GM431946152.pdf
    • https://bgescc.com/images/roblox-arsenal-hack-script-pastebin_GM431946152.pdf
    • https://bgescc.com/images/how-to-get-a-lot-of-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b44.bin
ee7fe2f188a612939c91802f5b8aedd021e34b0c8013c10ab38c77f10cb5de9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B44 27944 bytes
font_01_sfnt_off00008841.bin
a6c96b4407ebb47f2cfd29e129a6a077725395da0bf0a570e52244455dfee05f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8841 19116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.