Malicious PDF — malware analysis report

Static analysis result for SHA-256 82082a4ca32c66bd…

MALICIOUS

PDF

38.3 KB Created: 2021-05-20 14:12:55 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: ae132bd1533abebb115ad84ceb88de11 SHA-1: 1f2aff421294323e0f1f3bad56c542f679d4f91d SHA-256: 82082a4ca32c66bdaf4e4bc1288d94069121b86ef9d58365c78ce47849782abc
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains embedded URLs and a call-to-action phrase, 'CLICK HERE TO ACCESS TIKTOK GENERATOR', which strongly suggests a lure for malicious content. The heuristic 'SE_MFA_LURE' indicates the document may also be designed to harvest credentials or session tokens. The presence of multiple suspicious URLs points to a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7268

Heuristics 4

  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/is-tiktok-free-to-use-game-hack PDF link annotation
    • http://ipdrs.org/images/minecraft-server-hacks_GM479516143.pdfIn PDF document text
    • http://ipdrs.org/images/coin-master-hack-ios-no-verification_GM406889139.pdfIn PDF document text
    • http://ipdrs.org/images/coin-master-free-spins-link-blogspot-2021_GM406889139.pdfIn PDF document text
    • http://ipdrs.org/images/optifine-minecraft-pe_GM479516143.pdfIn PDF document text
    • http://ipdrs.org/images/coin-master-free-spins-1-coin-master_GM406889139.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003172.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3172 25668 bytes
SHA-256: c848c6eaee5405ce1b5ed8a63306ac74395e3db5ac64ad2e7c9c5566c40a7c4e
font_01_sfnt_off00006c3c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6C3C 2888 bytes
SHA-256: 2f5f0fc0bc2e44a39e81df338c202d2aa9228409b57f32fbedd5805dc83e19fa
font_02_sfnt_off0000762d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x762D 17644 bytes
SHA-256: 64d4d49e1254e5cb924f38655c14d3ad028ecff57352d42b38c9956f6d5a4696

Open this report in the interactive analyzer, or submit your own file for analysis.