Malicious PDF — malware analysis report

Static analysis result for SHA-256 facf4ec656b79bb5…

MALICIOUS

PDF

41.5 KB Created: 2021-05-10 20:03:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 5de245e7c6774e184c4038df9a23b9d9 SHA-1: 67eca424b3e28115712873b4ae413ca5e61fe792 SHA-256: facf4ec656b79bb5d9b37da2cee5e866b2a85bab65b5644d87d7a6facbde2976
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

This PDF document exhibits malicious characteristics, including an ML classifier flagging it with high confidence and the presence of external URIs. The document explicitly instructs the user to copy and paste content into a command execution context, such as Run or PowerShell, indicating an attempt to trick the user into executing a malicious payload. The embedded URLs likely serve as download locations for this payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 4

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/479516143/how-to-hack-minecraft-pe-game-hack PDF link annotation
    • https://tanahlot.id/assets/CKImages/files/coin-master-spin-hack-no-verification_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/how-to-get-robux-without-paying_GM431946152.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/how-to-get-free-spins-on-coin-master-2021_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/robuxlove-net-free-robux_GM431946152.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/free-spin-link-coin-master_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/roblox-premium-free_GM431946152.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/master-coin-hack-game_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/how-can-you-get-minecraft-for-free_GM479516143.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/coin-master-daily-free-spins-hack_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/hack-coin-master-site-rssingcom_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/hackear-coin-master-espaol_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/game-give-free-robux_GM431946152.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/coin-master-gold-cards-free_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/minecraft-dungeons-free_GM479516143.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/coin-master-free-spins-apk_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/robux-offers_GM431946152.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/roblox-script-executor-free_GM431946152.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/coin-master-hack-version-download-ios_GM406889139.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/free-robux-no-verification-2021-android_GM431946152.pdfIn PDF document text
    • https://tanahlot.id/assets/CKImages/files/www-bandicam-com-free-robux_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004980.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4980 24264 bytes
SHA-256: f1b92e8b077051ec2e30a2c0b4b2443e12e4f0cb68c79c71c7631d2208eb6f9b
font_01_sfnt_off00008035.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8035 18196 bytes
SHA-256: d34ad1dbd9dd4a0600043f837e3a6c6fdafb13b781254d1b565cb7d4b46c75dd

Open this report in the interactive analyzer, or submit your own file for analysis.