Malicious PDF — malware analysis report

Static analysis result for SHA-256 eea708cd9ea80b72…

MALICIOUS

PDF

36.8 KB Created: 2021-05-22 12:13:42 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: f6d1f99858f3a431ac832891fab6771c SHA-1: 532c91101c6c8fb41334cd48be703b2fad463147 SHA-256: eea708cd9ea80b7216df467c65152fec246e87b42c07c2c91c7df361ca0ddedb
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains embedded URLs and a document body that explicitly lures the user with promises of free Minecraft redeem codes or game hacks. The presence of multiple related URLs, combined with the 'ML_NYX_PDF_MALICIOUS' heuristic and the 'SE_PASSWORD_ARCHIVE_LURE' finding, strongly suggests this document is designed to trick users into downloading and potentially decrypting a malicious payload. The document body's call to action, 'CLICK HERE TO ACCESS MINECRAFT GENERATOR', further supports this malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-redeem-code-free-game-hack
    • https://elearning.man2kojam.sch.id/__statics/gudangsoal/files/minecraft-pe-hacked-client-download_GM479516143.pdf
    • https://elearning.man2kojam.sch.id/__statics/gudangsoal/files/free-robux-promo-codes-2021_GM431946152.pdf
    • https://elearning.man2kojam.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-on-iphone_GM431946152.pdf
    • https://elearning.man2kojam.sch.id/__statics/gudangsoal/files/coin-master_GM406889139.pdf
    • https://elearning.man2kojam.sch.id/__statics/gudangsoal/files/rblx-gg-free-robux_GM431946152.pdf
    • https://education.minecraft
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000357f.bin
61d75f3e8d9ad7f8b12a44fa155765cd275c2dd1b5ec4884d06bd695b41c7908		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x357F 25260 bytes
font_01_sfnt_off00006f3f.bin
cc19f71067fb84b21b4f81fd44d646587f5653a8a3073e37b17122851b8ee9dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F3F 18144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.