Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5248eb81b74e734…

MALICIOUS

PDF

37.1 KB Created: 2021-05-21 22:07:37 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 6b0180d77c90c2f934833db43efa5e1a SHA-1: 7c411b1b3a1d289ec38c2627936667143d421b51 SHA-256: f5248eb81b74e734133b25a7fd7983afbe31049c64f138f446bdf5ce700c1ad6
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File Execution: User Execution

The PDF document contains a heuristic firing for a 'ClickFix' social engineering attack, instructing the user to press Win+R or paste a command into a terminal. This suggests an attempt to bypass security measures and trick the user into executing a malicious command, likely to download and run a secondary payload from the embedded URL. The presence of multiple game-related lures in the document body and embedded URLs further supports a phishing or scamming motive.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/minecraft-realms-free-trial-game-hack
    • https://www.anders-sofa.com.tw/uploadpic/files/is-roblox-free-on-pc_GM431946152.pdf
    • https://www.anders-sofa.com.tw/uploadpic/files/how-to-get-free-coins-and-spins-on-coin-master_GM406889139.pdf
    • https://www.anders-sofa.com.tw/uploadpic/files/how-can-you-get-free-robux_GM431946152.pdf
    • https://www.anders-sofa.com.tw/uploadpic/files/how-to-earn-free-robux_GM431946152.pdf
    • https://www.anders-sofa.com.tw/uploadpic/files/websites-that-give-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003567.bin
d1b8292a754176a71915a31bd65373c4ab5ec981a61b9e0f33a923e0e16ad356		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3567 26532 bytes
font_01_sfnt_off0000711b.bin
5e9e7e4dd5050dedb25c4bef302629088f41d3cb5f82066cb4e6c0f6a9bca7dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x711B 17900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.