Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea011f595f0ff1d5…

MALICIOUS

PDF

37.2 KB Created: 2021-05-22 13:51:12 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 0d93d1e6ecb03dc171f612e6948325a4 SHA-1: 04b8179f69a0aed9480d8edb7da4c09dd580e9e4 SHA-256: ea011f595f0ff1d5a6592dc9ca69caec6f474eb479917fa879ee3e9e3b3bf11f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains multiple embedded URLs pointing to sites offering 'free Minecraft' or 'free Robux', suggesting a scam or phishing attempt. The 'ClickFix' heuristic indicates the document likely instructs the user to execute a command or open a link, bypassing typical macro restrictions. The ML classifier also flagged the PDF as malicious, reinforcing the suspicious nature of the content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-svg-free-game-hack
    • https://elerning.ubkman1lampungtimur.com/__statics/gudangsoal/files/minecraft-114-download_GM479516143.pdf
    • https://elerning.ubkman1lampungtimur.com/__statics/gudangsoal/files/www-free-robux-com_GM431946152.pdf
    • https://elerning.ubkman1lampungtimur.com/__statics/gudangsoal/files/free-roblox-accounts-that-work_GM431946152.pdf
    • https://elerning.ubkman1lampungtimur.com/__statics/gudangsoal/files/password-free-roblox-accounts_GM431946152.pdf
    • https://elerning.ubkman1lampungtimur.com/__statics/gudangsoal/files/google-how-do-you-get-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000348e.bin
26c8a2151701444ee298ad7e70af575b415ea6352451e428b62a00fdf2e5ea89		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x348E 26280 bytes
font_01_sfnt_off0000714a.bin
f82c060a5662ddcca675aec0cfac04b32032cde6baf3a8524f802f6fcb7e6d40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x714A 17968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.