Malicious PDF — malware analysis report

Static analysis result for SHA-256 1441857f26e72137…

MALICIOUS

PDF

35.1 KB Created: 2021-05-21 05:59:44 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: d2a4e31104622bcdecc759376a9e6b13 SHA-1: ccb532cca06594a27caef12bae1650d4d9c62718 SHA-256: 1441857f26e72137b9fd211c7bdadcd55cb7a8bf18016986efb34676a4d0ce46
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a prominent link related to 'free TikTok followers', suggesting a lure for a scam or phishing attempt. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were directly extracted, the presence of external URIs and the MFA lure heuristic indicate a potential credential harvesting or social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9508

Heuristics 4

  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/free-tiktok-followers-without-downloading-apps-game-hack PDF link annotation
    • http://dismarinamt.com.br/images/free-custom-minecraft-skins_GM479516143.pdfIn PDF document text
    • http://dismarinamt.com.br/images/how-to-win-attack-madness-in-coin-master-hack_GM406889139.pdfIn PDF document text
    • http://dismarinamt.com.br/images/roblox-hack-apk_GM431946152.pdfIn PDF document text
    • http://dismarinamt.com.br/images/free-vip-roblox_GM431946152.pdfIn PDF document text
    • http://dismarinamt.com.br/images/free-minecraft-alts_GM479516143.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003095.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3095 23068 bytes
SHA-256: b94c72c371b267ccd498a77a5215e4857c9017edcbe624dea3f3279008177227
font_01_sfnt_off000064ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x64BA 19232 bytes
SHA-256: 4eaec90c3500ce1e4219c4072573651a36e2ced011bd787e7f6c8e7083ec9f3e

Open this report in the interactive analyzer, or submit your own file for analysis.