Malicious PDF — malware analysis report

Static analysis result for SHA-256 af1126d8fd8ec080…

MALICIOUS

PDF

40.4 KB Created: 2021-05-22 11:33:52 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 0d6aeb41fdb0404ace55ced024cf4c9a SHA-1: 761a4c6dd94623438d1e47fd80ece2e53d99dc7e SHA-256: af1126d8fd8ec08011bff63a7f3ffe22749d0749604b885d3e1d90c535fe6881
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains heuristics indicating it is malicious and includes external URIs. The document body text, though partially garbled, contains phrases like 'Free Minecraft Bedrock Server Hosting' and a prominent 'CLICK HERE TO ACCESS MINECRAFT GENERATOR' call-to-action, suggesting a lure. The presence of multiple embedded and external URLs points towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7776

Heuristics 5

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/free-minecraft-bedrock-server-hosting-game-hack
    • http://floreswindows.com/images/how-to-use-wurst_GM479516143.pdf
    • http://floreswindows.com/images/how-to-get-free-hair-on-roblox-2021_GM431946152.pdf
    • http://floreswindows.com/images/roblox-free-items_GM431946152.pdf
    • http://floreswindows.com/images/free-roblox-accounts-with-robux_GM431946152.pdf
    • http://floreswindows.com/images/free-minecraft-printables_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000037fc.bin
0e3d89441eaa426cc3e1dfeaeaa98e274a03a1035fcbc49f8ad0c89e9575cb71		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x37FC 25336 bytes
font_01_sfnt_off0000718e.bin
8c5d9bcb386d88c7f99323d8d482e46ea21dea038a5b842744dd5d39b26b2c44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x718E 2856 bytes
font_02_sfnt_off00007b64.bin
fcf161d812b4feaa3e2bf8e8c417d8656b3909a46e27a4c0a1d90eda073f6fc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B64 18672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.