Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4f7dd17ae103008…

MALICIOUS

PDF

38.6 KB Created: 2021-05-21 11:17:05 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: cd2a35acf023471d5a251ecc041932dd SHA-1: 688a1a69bb3da29c007b62556de03a08323514b5 SHA-256: d4f7dd17ae1030088b5eeae6286fb2f8797ff1e1d862e59fc05829f93c47e750
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains embedded links and a call-to-action phrase, consistent with social engineering to trick users into downloading potentially malicious content. The ML classifier also flagged this PDF as malicious. The primary lure appears to be a 'Minecraft hack client' hosted on netcdn.xyz.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-pe-hack-client-game-hack PDF link annotation
    • http://elearning.mtsn7agam.sch.id/__statics/gudangsoal/files/free-robux-no-survey_GM431946152.pdfIn PDF document text
    • http://elearning.mtsn7agam.sch.id/__statics/gudangsoal/files/coin-master-free-spin-reward-links_GM406889139.pdfIn PDF document text
    • http://elearning.mtsn7agam.sch.id/__statics/gudangsoal/files/free-spins-in-coin-master-without-human-verification_GM406889139.pdfIn PDF document text
    • http://elearning.mtsn7agam.sch.id/__statics/gudangsoal/files/coin-master-cheat-engine-hack_GM406889139.pdfIn PDF document text
    • http://elearning.mtsn7agam.sch.id/__statics/gudangsoal/files/coin-master-free-spins-promo-code_GM406889139.pdfIn PDF document text
    • https://playhack.in/minecraftIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003349.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3349 25204 bytes
SHA-256: eb762f8a0d45494998526364af0266907bb2928522f3f316aa8480243e330323
font_01_sfnt_off00006d1f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6D1F 2820 bytes
SHA-256: 96a70491b0783ad8c6fc9b11a18f021aa22c69ac41ee4499b781d16a1b99b689
font_02_sfnt_off000076bf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x76BF 17968 bytes
SHA-256: a1bdeaf7b929e0321b1dbbf2b8f1cbdbbbd0c833166bb9e07af12e4b4538f125

Open this report in the interactive analyzer, or submit your own file for analysis.