Malicious PDF — malware analysis report

Static analysis result for SHA-256 e22528a51d3d33ac…

MALICIOUS

PDF

37.4 KB Created: 2021-05-20 23:55:55 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 86e3b59baab9361095b606b75b51992a SHA-1: ad77a2ddbd1bf5ce1dc5c456d759c5a507ecf1e2 SHA-256: e22528a51d3d33acec32c8db9990ad52059ca502a3f555c09b1d613a92583b40
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains a lure for a Minecraft hack, directing users to a URL that likely hosts a malicious payload. The 'ClickFix' heuristic indicates the document instructs users to execute commands directly, bypassing typical macro restrictions. The presence of multiple suspicious URLs and the ML classifier's high confidence score support the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-mac-free-game-hack
    • https://learning.mtsn1sukabumi.sch.id/__statics/gudangsoal/files/coin-master-website_GM406889139.pdf
    • https://learning.mtsn1sukabumi.sch.id/__statics/gudangsoal/files/how-to-hack-roblox-accounts-2021-easy_GM431946152.pdf
    • https://learning.mtsn1sukabumi.sch.id/__statics/gudangsoal/files/coin-master-download_GM406889139.pdf
    • https://learning.mtsn1sukabumi.sch.id/__statics/gudangsoal/files/coin-master-free-spins-and-coins-blogspot_GM406889139.pdf
    • https://learning.mtsn1sukabumi.sch.id/__statics/gudangsoal/files/free-robux-with-no-verification_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000337b.bin
7ccbb18ede7dba3f0eee6aeb49e4a30a3a2dc954796b0b41aafd46205b4f41be		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x337B 28852 bytes
font_01_sfnt_off0000736b.bin
2778e064ee8e4e3a4bd3984a17bb7eaaeefaa41a67eb131b8ade69fe1653bbfc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x736B 17568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.