Malicious PDF — malware analysis report

Static analysis result for SHA-256 53479aeb2dc2ba75…

MALICIOUS

PDF

36.7 KB Created: 2021-05-23 01:04:37 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 644031951232bfbc71ec4f3abff0430c SHA-1: d01f6664291f21384fe7b679bb260a21a94a6a78 SHA-256: 53479aeb2dc2ba75ab2195bcef20241976d120ac557082f866e64aae7ea956a1
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a lure related to obtaining free likes on TikTok, coupled with heuristics indicating a browser extension installation lure and an external URI pointing to a suspicious domain. The document body, though partially corrupted, contains references to the lure and the malicious URL. The presence of embedded URLs and the ML classifier's high confidence score suggest malicious intent, likely to trick users into downloading further malicious content or providing credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9447

Heuristics 4

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/get-free-likes-on-tiktok-game-hack
    • https://www.kaojen.com.tw/upload/files/free-coin-master-cards_GM406889139.pdf
    • https://www.kaojen.com.tw/upload/files/card-hack-in-coin-master_GM406889139.pdf
    • https://www.kaojen.com.tw/upload/files/best-free-minecraft-server-hosting-reddit_GM479516143.pdf
    • https://www.kaojen.com.tw/upload/files/free-unlimited-robux_GM431946152.pdf
    • https://www.kaojen.com.tw/upload/files/minecraft-tools_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000035e2.bin
319e2dc358a3208bfa3df18421b9ec2b693718f395fb14c6e41cb008e4b37eb5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35E2 26436 bytes
font_01_sfnt_off000070a4.bin
782ce757928ab8849be8d7d6232199a595fd3f8ee03de5cb15c7b9ee803e6cfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70A4 17456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.