PDF static analysis report

Static analysis result for SHA-256 c50e59d32fb24d64…

SUSPICIOUS

PDF

37.1 KB Created: 2021-05-14 08:03:57 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 9828fd7911cb42c1756721c445ab3215 SHA-1: 662e4d088426c788eddb2e2a4875f7da18d158a6 SHA-256: c50e59d32fb24d6403cd8ab1014886fc831c7968170cfd2cfbccb3b38dd06d61
52 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a lure related to obtaining a Minecraft cape for free, which is a common tactic for scams or malware distribution. It includes a high-risk heuristic for a remote-support tool lure, suggesting the user might be instructed to install such software. The embedded URL points to a domain associated with game hacks, further supporting the malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0334

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-get-a-cape-in-minecraft-for-free-game-hack PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00003791.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3791 25060 bytes
SHA-256: a84ac14e84a03c8eb8ad48f0d3643c4c2b83adf67c3ec6ee0deb9aafeffd22bf
font_01_sfnt_off0000708b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x708B 18052 bytes
SHA-256: 651613c0b0933ea46dfe34ab8437030315119b6d54c219aba7cf9326f75e4fa1