Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6cb642dd71a57bc…

MALICIOUS

PDF

39.2 KB Created: 2021-05-22 14:11:42 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 3191bdb8ffecb4e9916888b51ce318a1 SHA-1: c549dee9dc84fd42ef1f2a9dd08f0d112f402dfb SHA-256: c6cb642dd71a57bc21fb935c80b302dae3ec61ded91471b9547c72f4c7c49c63
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document uses social engineering lures, specifically a 'ClickFix' style attack, to trick users into executing commands or downloading files. The document body contains multiple URLs pointing to potential malware download sites, disguised as game hacks or generators. The presence of embedded URLs and the ML classifier's high confidence score indicate a malicious intent to deliver a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-get-minecraft-for-free-on-mac-game-hack PDF link annotation
    • http://henrikedmark.com/images/coin-master-free-spins-link-2021-app_GM406889139.pdfIn PDF document text
    • http://henrikedmark.com/images/minecraft-hacks-wurst_GM479516143.pdfIn PDF document text
    • http://henrikedmark.com/images/free-coins-app-for-coin-master_GM406889139.pdfIn PDF document text
    • http://henrikedmark.com/images/free-minecraft-wallpaper_GM479516143.pdfIn PDF document text
    • http://henrikedmark.com/images/how-to-get-roblox-premium-for-free_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003680.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3680 24732 bytes
SHA-256: 5b684ab469a5d0b8e202905fb9048e1351643b4392e3ec2715e394b96c1e70b1
font_01_sfnt_off00006f40.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6F40 2892 bytes
SHA-256: c2578a292634a901613c1dd9f9883dd4930e6811e59ae03d696f263e56ea17b4
font_02_sfnt_off00007929.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7929 17872 bytes
SHA-256: b6208a51cd80fab2e9318da305006c0e70657a6f065b62408d4ccaae69eb5aa0

Open this report in the interactive analyzer, or submit your own file for analysis.