PDF static analysis report

Static analysis result for SHA-256 a5087daa55e462e4…

SUSPICIOUS

PDF

34.3 KB Created: 2021-05-22 13:12:46 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: a14a86b929a3ceada66810a584e9ab22 SHA-1: 8bd97e286303af25e3429960e88a279daba79de7 SHA-256: a5087daa55e462e4cdb98da00583c706d5c4a1bffd454e94e50d37789abb6fff
52 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a heuristic indicating a social engineering attack (ClickFix) that instructs the user to press Win+R, likely to execute a downloaded payload. It also contains an embedded URL pointing to a suspicious domain, which is likely used to host the malicious payload. The document body text and embedded artifacts suggest a lure for a fake Minecraft generator.

Machine Learning

  • Nyx PDF Classifier clean score 0.0718

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-download-free-download-game-hack PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002cd9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2CD9 24376 bytes
SHA-256: d4782bec17579ff0f86fef193a66edc23c1ae6f75d902c217433b07374ba3418
font_01_sfnt_off000064c1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x64C1 18292 bytes
SHA-256: bcf6477408162be3b167f843e68a68979a000ee483b53557047313ee62fe1046