Malicious PDF — malware analysis report

Static analysis result for SHA-256 8cb16230cac28737…

MALICIOUS

PDF

38.6 KB Created: 2021-05-22 09:09:29 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 1d4fec6322bf89ec15d4c846f8d84e9f SHA-1: 769486a08db483c494082e56217ff6e53124b0c6 SHA-256: 8cb16230cac287370040423e27bb8b64a067d5b46df20b9097895f1bd3969eaa
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document employs social engineering tactics, including a fake CAPTCHA and a browser extension installation lure, to deceive users. It directs users to a malicious URL, https://netcdn.xyz/app/835599320/is-tiktok-free-game-hack, which likely serves as a download or further redirection point for malware. The presence of multiple embedded URLs and the ML classifier's high confidence score support this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 5

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/is-tiktok-free-game-hack
    • http://www.kesambibaru.com/new/public/ckfinder/userfiles/files/roblox-ftw_GM431946152.pdf
    • http://www.kesambibaru.com/new/public/ckfinder/userfiles/files/coin-master-daily-free-spins-and-coins-2021_GM406889139.pdf
    • http://www.kesambibaru.com/new/public/ckfinder/userfiles/files/roblox-free-play_GM431946152.pdf
    • http://www.kesambibaru.com/new/public/ckfinder/userfiles/files/coin-master-hack-2021-ios_GM406889139.pdf
    • http://www.kesambibaru.com/new/public/ckfinder/userfiles/files/wurst-112-2_GM479516143.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003178.bin
a6100bde60483fff6d460083c74784a033717695b2da4a24788c49be13c5c3d0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3178 27020 bytes
font_01_sfnt_off00006dea.bin
10d025f04f706eb71cdda4f99784df1b9ccb52e48080e43095e0398eaef6f132		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DEA 2880 bytes
font_02_sfnt_off000077d4.bin
9ac98d03116b0178d2440c8519b51994e916559904e102c6f95e7069a9c516c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77D4 17456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.