Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd082f0f58dad74b…

MALICIOUS

PDF

46.5 KB Created: 2021-05-23 08:04:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: aae616044cc599989582a6581ad0210b SHA-1: 8b6efd25590ef438e43a796f98b081c62abd9edf SHA-256: dd082f0f58dad74be95cdde4065d14e09b2a43024900ce4b92aa7bcaf821e801
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains multiple embedded URLs pointing to potentially malicious download sites, disguised as free game hacks or generators. The document body explicitly instructs the user to 'CLICK HERE TO ACCESS MINECRAFT GENERATOR' and also contains a heuristic firing for a 'Clipboard command execution lure', suggesting the user is prompted to paste commands into a shell. This indicates a likely attempt to trick the user into downloading and executing a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7723

Heuristics 4

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/free-minecraft-pe-server-game-hack
    • http://brokermortgages.com/images/tiktok-free-install_GM835599320.pdf
    • http://brokermortgages.com/images/minecraft-app-store-free_GM479516143.pdf
    • http://brokermortgages.com/images/coin-master-hack-extension_GM406889139.pdf
    • http://brokermortgages.com/images/freer-tiktok_GM835599320.pdf
    • http://brokermortgages.com/images/free-robux-com-2021_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000356d.bin
1270739d814a9cb10aecb9d19449f1cac693f2cff5d98761e7d613f5b7cfe6ef		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x356D 25104 bytes
font_01_sfnt_off00006e3e.bin
218d53b68bdddb064f6fba4be822d5b3725ed1cef1a3b42796a8dd99c4a62f4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E3E 7936 bytes
font_02_sfnt_off00008768.bin
ab6320ab342704d2c5943abfba82ed4837bf2da871c91621741fd4cfd15c6ed5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8768 4232 bytes
font_03_sfnt_off000095f5.bin
40ba9e4e6a96b9fbdb66fe1c3cdc29181d81f4b56a4eeac74a5dcf6bc0460396		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95F5 17836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.