Malicious PDF — malware analysis report

Static analysis result for SHA-256 f137361920e5ddd4…

MALICIOUS

PDF

35.7 KB Created: 2021-05-22 22:44:02 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 162c4983c578a6ae4e545be18b170353 SHA-1: 229b3e6c8027ed3c8c09a95ad94e78aeeb33aa0e SHA-256: f137361920e5ddd4108d84259c37883e62af0452e8963be9a045210aecd8002b
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains multiple embedded URLs that lead to potentially malicious content, disguised as game hacks or generators. The presence of a 'download button' heuristic and the 'password-protected archive lure' suggest a workflow designed to trick users into downloading and potentially decrypting a payload. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9648

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/classic-minecraft-net-hacks-game-hack
    • http://elearningnew.mansasingkawang.sch.id/__statics/gudangsoal/files/cute-free-hair-on-roblox_GM431946152.pdf
    • http://elearningnew.mansasingkawang.sch.id/__statics/gudangsoal/files/free-robux-websites-no-human-verification_GM431946152.pdf
    • http://elearningnew.mansasingkawang.sch.id/__statics/gudangsoal/files/hackear-coin-master_GM406889139.pdf
    • http://elearningnew.mansasingkawang.sch.id/__statics/gudangsoal/files/free-spins-on-coin-master-2021_GM406889139.pdf
    • http://elearningnew.mansasingkawang.sch.id/__statics/gudangsoal/files/bloxpink-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000033d0.bin
c3b89cfe5ead4324aa0e31a4a1aac086d32783882eec3e74477ddd204d0c901e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33D0 24888 bytes
font_01_sfnt_off00006bed.bin
06eb0692cb0ff670c8084f221f19fc536b6b0c4a84b00058b05a05adc7fae17c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BED 17812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.