Malicious PDF — malware analysis report

Static analysis result for SHA-256 90a9f4887a8856fd…

MALICIOUS

PDF

44.7 KB Created: 2021-05-14 19:23:17 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: a7b34e22d3b21ee52026b744eabb1a04 SHA-1: 2426921e8a2c0ef7a74ddc541f24e44cd653102c SHA-256: 90a9f4887a8856fd9b748d4698fabc8b223ce8461fc9344cb2c1c81ffc990a56
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document presents a fake CAPTCHA to deceive users into interacting with it, a common social engineering tactic. It contains numerous embedded URLs, including one pointing to 'netcdn.xyz', which likely serve as lures for further malicious activity or downloads. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9632

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/coin-master-free-spin-whatsapp-group-link-game-hack PDF link annotation
    • http://miriammcconnonart.com/images/minecraft-free-no-virus_GM479516143.pdfIn PDF document text
    • http://miriammcconnonart.com/images/free-spins-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/free-spins-coin-master-october-17-2021_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/how-to-get-free-robux-on-computer_GM431946152.pdfIn PDF document text
    • http://miriammcconnonart.com/images/free-robux-no-verification-needed_GM431946152.pdfIn PDF document text
    • http://miriammcconnonart.com/images/free-robux-2021_GM431946152.pdfIn PDF document text
    • http://miriammcconnonart.com/images/hack-coin-master-without-human-verification_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/robux-sites_GM431946152.pdfIn PDF document text
    • http://miriammcconnonart.com/images/roblox-free-robux-com_GM431946152.pdfIn PDF document text
    • http://miriammcconnonart.com/images/coin-master-free-spins-link-2021-today_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/free-spins-coin-master-cheats_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/games-like-coin-master_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/get-free-spins-link-in-coin-master_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/minecraft-building-hacks_GM479516143.pdfIn PDF document text
    • http://miriammcconnonart.com/images/easy-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • http://miriammcconnonart.com/images/coin-master-daily-free-rewards_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/free-coins-coin-master-link-2021_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/free-coins-for-coin-master_GM406889139.pdfIn PDF document text
    • http://miriammcconnonart.com/images/minecraft-free-online_GM479516143.pdfIn PDF document text
    • http://miriammcconnonart.com/images/free-rare-cards-for-coin-master-christmas_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000491c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x491C 24504 bytes
SHA-256: a8efcbe1f0378f6594d3f331877619cbd963623e5d3d2e75e5debda3d451dcf8
font_01_sfnt_off00008165.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8165 2880 bytes
SHA-256: 10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132
font_02_sfnt_off00008b4f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8B4F 18560 bytes
SHA-256: c65993a8877690b51d5778b5551e0b245465244fc3a88f38fe2d5d44dfc47c4d

Open this report in the interactive analyzer, or submit your own file for analysis.