Malicious PDF — malware analysis report

Static analysis result for SHA-256 7b1680fbdc70e008…

MALICIOUS

PDF

35.2 KB Created: 2021-05-20 12:43:32 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: e7381aa5a26045d6a713a8788c983dc2 SHA-1: 592b490d16e4b0f3b18b7178ef5b3d527fa0c4a1 SHA-256: 7b1680fbdc70e0088a9e31fb01972020b84e2fd46abbe912779769ef770daf8f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a lure for a fake TikTok verification generator, impersonating the brand to trick users into clicking a malicious link. The embedded link, https://netcdn.xyz/app/835599320/how-to-get-verified-on-tiktok-for-free-game-hack, is hosted on a suspicious domain and is likely intended to lead to credential harvesting or malware download. The ML classifier also flagged this PDF as malicious, supporting the phishing and potential exploitation attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9508

Heuristics 4

  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.xyz/app/835599320/how-to-get-verified-on-tiktok-for-free-game-hack.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/how-to-get-verified-on-tiktok-for-free-game-hack PDF link annotation
    • http://pustaka.smpmuh2yk.sch.id//repository/hackear-coin-master-android_GM406889139.pdfIn PDF document text
    • http://pustaka.smpmuh2yk.sch.id/repository/pokemon-go-windows-free-download_GM1094591345.pdfIn PDF document text
    • http://pustaka.smpmuh2yk.sch.id/repository/free-spin-coin-master-online_GM406889139.pdfIn PDF document text
    • http://pustaka.smpmuh2yk.sch.id/repository/free-free-robux_GM431946152.pdfIn PDF document text
    • http://pustaka.smpmuh2yk.sch.id//repository/coin-master-35-2-hack_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003259.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3259 24072 bytes
SHA-256: dd8c1edddc637c4db79f2662e7034732edb87c8e3b262a025873c0214dcc2e56
font_01_sfnt_off00006934.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6934 17928 bytes
SHA-256: e37ad39f5ad2ca92ca27a26cd5cddcc2f7e09660446c4b75033bd08f8a796cf2