Malicious PDF — malware analysis report

Static analysis result for SHA-256 b09d3fe25c9d3f0e…

MALICIOUS

PDF

34.5 KB Created: 2021-05-31 06:11:25 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: cf0197695af92203043680a1455c5d10 SHA-1: 11c3468624dd99b5cd52732e63b54fc48700914e SHA-256: b09d3fe25c9d3f0e312575bbb2607e4b409163de5fa25bd983125cc05dc99a4d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

The PDF employs a fake CAPTCHA and clipboard command lure to deceive users into executing arbitrary commands. The embedded URL, https://netcdn.xyz/app/479516143/minecraft-java-free-trial-game-hack, likely serves as a download source for a second-stage payload. The document's content and heuristics strongly suggest a social engineering attack aimed at user execution.

Machine Learning

  • Nyx PDF Classifier clean score 0.0718

Heuristics 6

  • Fake CAPTCHA with command-running instructions critical SE_FAKE_CAPTCHA_CLICKFIX
    Document combines fake CAPTCHA or human-verification language with instructions to paste or run a command — a high-confidence ClickFix pattern
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-java-free-trial-game-hack
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002e76.bin
70d99649961c1789c67e8aebc2c4ce6522ba80b9e3c3103556637fe4c8c51afe		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E76 25068 bytes
font_01_sfnt_off000066dc.bin
d296bfe87a6dc97e41f58611965175a9d8d851c6709ce0e2d245db43bc469752		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66DC 17924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.