PDF static analysis report

Static analysis result for SHA-256 1db454c562ed3171…

SUSPICIOUS

PDF

35.1 KB Created: 2021-05-23 21:06:23 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: 3a6756f56359c4f7e14d12a62f5f2ad4 SHA-1: 55fce7b326a3d86226b9af4e9add00bc435c1840 SHA-256: 1db454c562ed3171abe49a5bfc6dbd1c1cebe8fc61aa9e283f05fd5b3b36dfb6
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded URLs pointing to sites offering 'free fans on TikTok' and 'free Robux', which are common lures for scams or malware distribution. The ML classifier also flagged the PDF as malicious. The document body explicitly contains the URL 'https://netcdn.xyz/app/835599320/free-fans-on-tiktok-game-hack' and a call to action 'CLICK HERE TO ACCESS TIKTOK GENERATOR', indicating a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9508

Heuristics 3

  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/free-fans-on-tiktok-game-hack PDF link annotation
    • https://ifef.es/ckfinder/userfiles/files/codes-how-to-get-free-robux_GM431946152.pdfIn PDF document text
    • https://ifef.es/ckfinder/userfiles/files/roblox-hack-ios_GM431946152.pdfIn PDF document text
    • https://ifef.es/ckfinder/userfiles/files/coin-master-fan-page-free-spins_GM406889139.pdfIn PDF document text
    • https://ifef.es/ckfinder/userfiles/files/coin-master-online-hack-2021_GM406889139.pdfIn PDF document text
    • https://ifef.es/ckfinder/userfiles/files/how-to-hack-pubg-mobile-uc-without-human-verification_GM1330123889.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002c87.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2C87 27156 bytes
SHA-256: 810208b63cb048dae87a2687d8ec873a9476e97b8b0a435771f6f94a9951e56f
font_01_sfnt_off000069a4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x69A4 17684 bytes
SHA-256: c4bad94708efb6699dc1c2f19668affdeb9abfa27890915707a4ba319d25bbbf