Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f079104c6554fe5…

MALICIOUS

PDF

33.8 KB Created: 2021-07-19 12:02:15 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: fe47654a2c1866e61bcc2e44d77c7fd4 SHA-1: 43fdd4c08df2d484f6b6c1659a37687a5c6b13e2 SHA-256: 8f079104c6554fe5a682dac166901bde6845af48061aaf4e239cb6307b6a24ac
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains multiple embedded URLs pointing to sites offering 'free followers' or 'hacks' for popular games and social media platforms, indicating a lure for potentially malicious downloads. The ML classifier strongly flagged this PDF as malicious, and the presence of a download button lure reinforces the malicious intent. The document body contains obfuscated text and explicit calls to action, further supporting a phishing or scam attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9946

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/835599320/free-tiktok-followers-app-game-hack PDF link annotation
    • http://www.flotom.at/images/tiktok-followers-for-free_GM835599320.pdfIn PDF document text
    • http://www.flotom.at/images/how-to-hack-someones-roblox-account_GM431946152.pdfIn PDF document text
    • http://www.flotom.at/images/minecraft-for-free-on-phone_GM479516143.pdfIn PDF document text
    • http://www.flotom.at/images/roblox-com-free-robux_GM431946152.pdfIn PDF document text
    • http://www.flotom.at/images/how-to-get-verified-on-tiktok-for-free-2021_GM835599320.pdfIn PDF document text
    • http://www.flotom.at/images/coin-master-free-link_GM406889139.pdfIn PDF document text
    • http://www.flotom.at/images/coin-master-free-spins-link-blogspot-2021_GM406889139.pdfIn PDF document text
    • http://www.flotom.at/images/i-got-hacked-on-roblox_GM431946152.pdfIn PDF document text
    • http://www.flotom.at/images/free-minecraft-alt-generator_GM479516143.pdfIn PDF document text
    • http://www.flotom.at/images/robux-free-2021_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003100.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3100 22588 bytes
SHA-256: af441fd972f805d7b4248a654c413afd80be0ce5d881d5e81b7bc559a00cb1e5
font_01_sfnt_off0000638b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x638B 17872 bytes
SHA-256: 34129f1c56e014fb2604607ed740d581eed4f4cd55f156cb19b3173e06165e4c