Malicious PDF — malware analysis report

Static analysis result for SHA-256 91c5b17d067b154e…

MALICIOUS

PDF

36.8 KB Created: 2021-05-23 01:08:11 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 5157836327c55a40e8db2491f151e4e0 SHA-1: 1428402b091a49eb1afbca012dc3113c6ff6dd2c SHA-256: 91c5b17d067b154ed3037cbfa72b908bba80dd00e7e724e2e7b17c844fced57d
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1105 Ingress Tool Transfer

The PDF document uses a lure related to free game hacks and generators to trick users into clicking links. It also contains heuristics indicating it's a password-protected archive lure and a remote-support tool lure, suggesting the user is being directed to download and install potentially malicious software. The embedded URLs point to suspicious domains that likely host the secondary payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 5

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-make-a-minecraft-server-for-free-game-hack
    • http://www.makoto.su/images/apps-to-get-free-robux_GM431946152.pdf
    • http://www.makoto.su/images/minecraft-free-computer-game_GM479516143.pdf
    • http://www.makoto.su/images/instagram-free-coin-master-spins_GM406889139.pdf
    • http://www.makoto.su/images/roblox-hack-codes_GM431946152.pdf
    • http://www.makoto.su/images/easy-robux-generator_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000356b.bin
75daa35b1c9dacb042d08585a2c65125fb88b03bbaee330daae36e7d54386bdf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x356B 25576 bytes
font_01_sfnt_off00006ef8.bin
7ebd6cc6f7d73451d43dfe99dc02d56d86c4e3c51693199467050b16fbe82799		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EF8 18156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.