Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7ea44c856a1640a…

MALICIOUS

PDF

35.9 KB Created: 2021-05-22 15:50:50 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: d948ce351007c34251ed3a9717901314 SHA-1: 71cd9e33f6c233e620e3573d0d9c26eb31fc7454 SHA-256: c7ea44c856a1640a6a3a7d7888ad233507fce460042c893c9d23abaddbe7209a
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The sample is a PDF that employs social engineering tactics, specifically a fake CAPTCHA and instructions to run a command, to bypass security measures. The embedded URL and document body content suggest a lure for game-related cheats or hacks, likely to download a malicious payload. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9492

Heuristics 6

  • Fake CAPTCHA with command-running instructions critical SE_FAKE_CAPTCHA_CLICKFIX
    Document combines fake CAPTCHA or human-verification language with instructions to paste or run a command — a high-confidence ClickFix pattern
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-realms-free-game-hack PDF link annotation
    • http://sv-nahetal.de/images/roblox-free-robux_GM431946152.pdfIn PDF document text
    • http://sv-nahetal.de/images/coin-master-free-spins-link-blogspot-today_GM406889139.pdfIn PDF document text
    • http://sv-nahetal.de/images/free-robux-legit_GM431946152.pdfIn PDF document text
    • http://sv-nahetal.de/images/how-you-get-robux_GM431946152.pdfIn PDF document text
    • http://sv-nahetal.de/images/free-spins-coin-master-2021_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003472.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3472 24604 bytes
SHA-256: 397e4297c9c7f50070ef5029b473c7ae48189367a0526506d53e7a0834944e80
font_01_sfnt_off00006c93.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6C93 17900 bytes
SHA-256: badbc394cd8954733b164be5cc8c6ff402afbb9d7774d644eb4a8191a91f4c18