Malicious PDF — malware analysis report

Static analysis result for SHA-256 caa18be671b92c96…

MALICIOUS

PDF

55.0 KB Created: 2021-06-04 02:02:12 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 249420a229290655535b998cf3e5bcc7 SHA-1: d4e499a52d37a26d64fe36ccf63a194aab0e5322 SHA-256: caa18be671b92c9672d0ad05d40f2a1fa1749aec14ac83bb2ad3123833c2b37e
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document uses a lure related to free game hacks, specifically mentioning Minecraft, to entice users. It contains an embedded URI pointing to a suspicious URL, likely a download location for a secondary payload. The presence of heuristics indicating a password-protected archive lure and a general ML classifier flagging it as malicious further supports its malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9497

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.online/app/479516143/minecraft-free-no-download-game-hack PDF link annotation
    • http://pustaka.fateta.unand.ac.id/repository/free-minecraft-account-and-password-generator_GM479516143.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/80-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/how-to-get-free-robux-without-downloading-anything_GM431946152.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/coin-master-daily-spin-link-app_GM406889139.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/roblox-rape_GM431946152.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/hacks-para-roblox_GM431946152.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/free-spin-link-coin-master_GM406889139.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/oginject-co_GM406889139.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/get-coin-master-cards-free_GM406889139.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/give-me-robux-now_GM431946152.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/free-coins-spins-on-coin-master_GM406889139.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/hack-avatar_GM431946152.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/coin-master-working-hack_GM406889139.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/free-roblox-accounts-with-robux-2021_GM431946152.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/free-robux-site_GM431946152.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/how-to-get-robux-easy_GM431946152.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/how-to-get-free-robux-without-verifying_GM431946152.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/legit-free-spins-coin-master_GM406889139.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/free-minecraft-videos_GM479516143.pdfIn PDF document text
    • http://pustaka.fateta.unand.ac.id/repository/master-coin-hack_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005396.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5396 25068 bytes
SHA-256: 00f41c69fe4247f4bb90d63d5a99ec3f4bf8cc21b94af65a824ba46482752cbb
font_01_sfnt_off00008c91.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8C91 7936 bytes
SHA-256: 038829bc81e15b6024d2a75b24b2b95e916dd2d8797e4f87b867de59d61698ef
font_02_sfnt_off0000a5bc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA5BC 4232 bytes
SHA-256: ab6320ab342704d2c5943abfba82ed4837bf2da871c91621741fd4cfd15c6ed5
font_03_sfnt_off0000b449.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB449 18292 bytes
SHA-256: 2f8f6932c6a5471fcd86ac874366aa199bea0908b5b9fba5acbbd4822a363b64

Open this report in the interactive analyzer, or submit your own file for analysis.