Malicious PDF — malware analysis report

Static analysis result for SHA-256 225cc61f2547fd87…

MALICIOUS

PDF

34.0 KB Created: 2021-05-23 05:08:12 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 8ae8f838c537a6006a268b741b9172dc SHA-1: 763367696bff9f5b5b97a9a515747bf36a4b1b4a SHA-256: 225cc61f2547fd87e24e912b23a4f94c889d20528f3d6e2371d320382aba5dbb
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a fake CAPTCHA and a "Click here to download" lure, which are common social engineering tactics to trick users into executing malicious content. The embedded URLs point to sites offering "free followers" or "free spins," further indicating a scam or malware distribution attempt. While no scripts were directly extracted, the PDF structure and heuristics suggest it's designed to exploit user interaction, likely leading to the download of a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9505

Heuristics 5

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/how-to-get-free-tiktok-followers-game-hack
    • https://elearning.man1inhil.sch.id/__statics/gudangsoal/files/coin-master-free-spins-link-no-verification-code_GM406889139.pdf
    • https://elearning.man1inhil.sch.id/__statics/gudangsoal/files/codes-how-to-get-free-robux_GM431946152.pdf
    • https://elearning.man1inhil.sch.id/__statics/gudangsoal/files/bloxpink-free-robux_GM431946152.pdf
    • https://elearning.man1inhil.sch.id/__statics/gudangsoal/files/can-you-get-robux-for-free_GM431946152.pdf
    • https://elearning.man1inhil.sch.id/__statics/gudangsoal/files/free-minecraft-hosting_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002f67.bin
fd8aa1f9a0e9aad0f3e4968602336ee2ff62e5d38d76e6b23841caabb53a5b2a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F67 23632 bytes
font_01_sfnt_off00006535.bin
efb7503bfa77ecc57b32614c06d9641da1723dd074a5c375bb93bdb3ea7f449b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6535 17692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.