Malicious PDF — malware analysis report

Static analysis result for SHA-256 88f611ae886e9183…

MALICIOUS

PDF

38.0 KB Created: 2021-05-22 07:36:48 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: a17edbaf0263f33cd4986750df5a3660 SHA-1: a115110b22398fe628ed8276378807f0c5be2cb2 SHA-256: 88f611ae886e9183091a7c574023417d16640977aa7120b9280b7b184d002522
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1203 Exploitation for Client Execution

The PDF contains multiple embedded URLs and a heuristic firing for a clipboard command execution lure, indicating an attempt to trick the user into executing commands. The document body also contains a call-to-action phrase, further supporting a malicious intent to download or execute a payload. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7010

Heuristics 4

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/is-minecraft-free-on-pc-game-hack
    • http://www.lacarla.dk/images/roblox-redeem-codes-free_GM431946152.pdf
    • http://www.lacarla.dk/images/how-to-get-minecoins-in-minecraft-for-free_GM479516143.pdf
    • http://www.lacarla.dk/images/rbxfree-com-free-robux_GM431946152.pdf
    • http://www.lacarla.dk/images/coin-master-link_GM406889139.pdf
    • http://www.lacarla.dk/images/free-robux-cards_GM431946152.pdf
    • https://www.yout
    • https://freegiftcodes.eu
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003432.bin
208a04e4d31e18f49eb812b033d68c6070e448774c138e1d831ed2e83f42a12f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3432 24488 bytes
font_01_sfnt_off00006b08.bin
787e0768241fb57660bcc9c7f726cf687277c463cdf8c586c4782ee9d03c3606		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B08 2840 bytes
font_02_sfnt_off000074c6.bin
0ab36ec9301b9393cdac417675da6d9cb227c8d57ccc288e3f382d638798bb6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74C6 17724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.