Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b102570d11f1f8b…

MALICIOUS

PDF

39.5 KB Created: 2021-05-24 02:16:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 0abdf87bd0b9d535c6a478078f04a8cc SHA-1: 8b60be49652fd6571ce885ff49bd36e1c9dcb729 SHA-256: 9b102570d11f1f8b9eacdff1b3ebaf20a67bb72a31bbe29deaac65f160ac75e2
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains heuristics indicating social engineering tactics, specifically a 'ClickFix' attack that prompts the user to execute a command. It also includes embedded URLs that likely lead to malicious downloads, disguised as game hacks. The document body explicitly contains a call-to-action phrase 'CLICK HERE TO ACCESS MINECRAFT GENERATOR' and multiple URLs pointing to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8068

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-free-android-game-hack PDF link annotation
    • http://garciamadeirascampinas.com.br/images/how-to-hack-people-on-roblox_GM431946152.pdfIn PDF document text
    • http://garciamadeirascampinas.com.br/images/coin-master-hack_GM406889139.pdfIn PDF document text
    • http://garciamadeirascampinas.com.br/images/minecraft-for-chromebook-free_GM479516143.pdfIn PDF document text
    • http://garciamadeirascampinas.com.br/images/free-links-coin-master_GM406889139.pdfIn PDF document text
    • http://garciamadeirascampinas.com.br/images/free-spins-on-coin-master-links-2021_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000371f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x371F 25048 bytes
SHA-256: 77e370126ae1e0f6bc413396597132c950b2f8af724e01eb1b9781a13e67990c
font_01_sfnt_off00007050.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7050 2880 bytes
SHA-256: 10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132
font_02_sfnt_off00007a3a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7A3A 17884 bytes
SHA-256: 82c3baf37781722f94369c3593b69e30ff14556e6fd52427afe75c94c9d4ce60