Malicious PDF — malware analysis report

Static analysis result for SHA-256 96221ed254fe1f10…

MALICIOUS

PDF

41.4 KB Created: 2021-05-15 17:06:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 9900b5098778ed17b19e107e2ae9d9b0 SHA-1: 8fb5d726b359353b023f6ca51862a0659db1ac9b SHA-256: 96221ed254fe1f10c0e968a9e8200edc58586fc855d0e09f48758bab85b754ed
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The document displays a fake CAPTCHA to lure users into clicking malicious links, likely to download further malware or exploit kits. The embedded URLs point to resources related to game hacks and free currency, common lures for social engineering. The ML classifier strongly flagged this PDF as malicious, supporting the observed attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/406889139/hack-version-of-coin-master-game-hack
    • http://i-koinoxrista.gr/images/coin-master-hack-spins-ios_GM406889139.pdf
    • http://i-koinoxrista.gr/images/free-robux-no-downloading-apps_GM431946152.pdf
    • http://i-koinoxrista.gr/images/how-to-get-minecraft-bedrock-for-free-with-java_GM479516143.pdf
    • http://i-koinoxrista.gr/images/coin-master-free-cards_GM406889139.pdf
    • http://i-koinoxrista.gr/images/free-robux-stream_GM431946152.pdf
    • http://i-koinoxrista.gr/images/free-robux-no-verification_GM431946152.pdf
    • http://i-koinoxrista.gr/images/pro-free-spins-coin-master_GM406889139.pdf
    • http://i-koinoxrista.gr/images/coin-master-free-generator_GM406889139.pdf
    • http://i-koinoxrista.gr/images/how-to-get-free-cards-sets-for-coin-master_GM406889139.pdf
    • http://i-koinoxrista.gr/images/hack-coin-master-nyc_GM406889139.pdf
    • http://i-koinoxrista.gr/images/2021-roblox_GM431946152.pdf
    • http://i-koinoxrista.gr/images/coin-master-online-hack_GM406889139.pdf
    • http://i-koinoxrista.gr/images/roblox-g_GM431946152.pdf
    • http://i-koinoxrista.gr/images/free-spins-and-coins-coin-master-facebook_GM406889139.pdf
    • http://i-koinoxrista.gr/images/hack-coin-master-download-ios_GM406889139.pdf
    • http://i-koinoxrista.gr/images/is-windows-10-minecraft-free_GM479516143.pdf
    • http://i-koinoxrista.gr/images/how-to-get-free-robux-without-verification_GM431946152.pdf
    • http://i-koinoxrista.gr/images/play-minecraft-online-free_GM479516143.pdf
    • http://i-koinoxrista.gr/images/hacks-minecraft_GM479516143.pdf
    • http://i-koinoxrista.gr/images/how-to-get-free-robux-generator_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000047f3.bin
bd23f1b49529094067642d697a11f7845a6ae3208f5172fc7ece216b0662469f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x47F3 24744 bytes
font_01_sfnt_off0000806c.bin
d9bde3e406d035dad20a2676c1f7ae85e4d06f1b9e5d7d6c6a094e48c8d4446c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x806C 17848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.