Malicious PDF — malware analysis report

Static analysis result for SHA-256 27c8d400f6e42106…

MALICIOUS

PDF

35.0 KB Created: 2021-07-20 05:51:53 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 97469d071631b934fbd4dbce89fc7f46 SHA-1: 924e0aa30ae6d5b02af545af6f402492e64b3c94 SHA-256: 27c8d400f6e4210689a46159f31c1f5c446698b44dc1045015ff6bebd550b136
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains multiple embedded URLs and a call-to-action phrase, strongly suggesting a lure for users to download potentially malicious content or visit phishing sites. The ML classifier also flagged this PDF as malicious with high confidence. The presence of embedded URLs and the document's theme of 'free items' align with common social engineering tactics used to distribute malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9962

Heuristics 4

  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/431946152/how-to-get-free-robux-on-computer-game-hack
    • http://118.174.0.244/UserFiles/File/free-spins-for-coin-master-2021_GM406889139.pdf
    • http://118.174.0.244/UserFiles/File/minecraft-pe-free-download_GM479516143.pdf
    • http://118.174.0.244/UserFiles/File/minecraft-free-trial_GM479516143.pdf
    • http://118.174.0.244/UserFiles/File/get-free-tiktok-followers_GM835599320.pdf
    • http://118.174.0.244/UserFiles/File/buy-tiktok-followers-free_GM835599320.pdf
    • http://118.174.0.244/UserFiles/File/free-tiktok-views_GM835599320.pdf
    • http://118.174.0.244/UserFiles/File/free-robux-2021_GM431946152.pdf
    • http://118.174.0.244/UserFiles/File/ways-to-get-free-robux_GM431946152.pdf
    • http://118.174.0.244/UserFiles/File/how-to-get-minecraft-dungeons-for-free_GM479516143.pdf
    • http://118.174.0.244/UserFiles/File/how-to-get-free-coins-on-tiktok_GM835599320.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000030cc.bin
b683480d738d30b13fd6b509b2c7a1ed1acc4f0c302969ad9e315971659cbb8c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30CC 23204 bytes
font_01_sfnt_off00006509.bin
45ab1b38094dcf93b5bcb7e9add098b6c863ed9ada52ace8b55ee9180603d92b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6509 18904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.