Malicious PDF — malware analysis report

Static analysis result for SHA-256 e637e89924f3505f…

MALICIOUS

PDF

40.2 KB Created: 2021-05-22 11:36:09 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: c93bbd1a2b17505a1ade902dfa88ed4e SHA-1: ecac9cc56051fcadfe5f298e2e74e483dffb440e SHA-256: e637e89924f3505fd73dbd27b95966e751a37b29723d1b603978b98caa85dae3
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains multiple embedded URLs and a heuristic firing for a "Remote-support tool lure", suggesting it aims to trick the user into downloading or interacting with potentially malicious software. The presence of a "download button" heuristic further supports this, indicating a social engineering attempt to prompt user action. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7877

Heuristics 4

  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-noob-vs-pro-vs-hacker-vs-god-game-hack
    • https://elearning.mtsn1temanggung.sch.id/__statics/gudangsoal/files/minecraft-online-free-no-download_GM479516143.pdf
    • https://elearning.mtsn1temanggung.sch.id/__statics/gudangsoal/files/free-tiktok-likes-without-verification_GM835599320.pdf
    • https://elearning.mtsn1temanggung.sch.id/__statics/gudangsoal/files/free-robux-hack_GM431946152.pdf
    • https://elearning.mtsn1temanggung.sch.id/__statics/gudangsoal/files/roblox-free-items-glitch_GM431946152.pdf
    • https://elearning.mtsn1temanggung.sch.id/__statics/gudangsoal/files/promo-code-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000036a9.bin
f1355f2adebb4896e0d9b92b9263f753ef07222c91e46d909aab51f9e05b7d33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36A9 25768 bytes
font_01_sfnt_off0000708e.bin
3811f2fb1880daf4953efcc9c7427d9b438bced237490b00be4a6ec3ecea79e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x708E 3092 bytes
font_02_sfnt_off00007b38.bin
35163f059b41a7a3602679841a335cd83055ee85c0a72342166b4475486ea273		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B38 18500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.