Malicious PDF — malware analysis report

Static analysis result for SHA-256 e65fc4158b2be095…

MALICIOUS

PDF

37.4 KB Created: 2021-05-24 22:09:26 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 9d07c884000dadd1e885ffe978638a69 SHA-1: f4867937d7a0f15df22a2f51a862e9671b4a62fe SHA-256: e65fc4158b2be095d2ee8cbfa82285d117e98c5afbb49d3f321772cc547d8f8f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a fake CAPTCHA lure, designed to trick users into clicking a link to download a malicious file. The document body and extracted URLs point towards the distribution of game hacks or cheats. The primary URL leads to a resource hosted on netcdn.xyz, which is suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-windows-10-hacked-client-game-hack
    • http://schmittmusic.de/images/coin-master-game-free-play-online_GM406889139.pdf
    • http://schmittmusic.de/images/can-you-get-robux-for-free_GM431946152.pdf
    • http://schmittmusic.de/images/haktuts-coin-master_GM406889139.pdf
    • http://schmittmusic.de/images/how-to-hack-coin-master_GM406889139.pdf
    • http://schmittmusic.de/images/free-robux-com-no-verification_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003305.bin
1055b369d9a7e15141790d8fd84085c060e8c6bf1f1f4d5a13e74e684ec5e5aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3305 26120 bytes
font_01_sfnt_off00006f81.bin
f9a71ab68452ae4ccd094805e59123059ba28481ac44c73a337d9a6d18fc1d00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F81 18768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.