Malicious PDF — malware analysis report

Static analysis result for SHA-256 a80451730f729be7…

MALICIOUS

PDF

30.4 KB Created: 2021-07-19 07:52:42 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: ec3d21bb114739f0cd9c46f22449d483 SHA-1: f2769b44bcf5b6780f461665c6b700fa375b5ce0 SHA-256: a80451730f729be7b1bbdf771733a7425c33d38e93538fd7738720e54668b31f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains multiple embedded URLs and a call-to-action button, strongly suggesting a phishing or malware distribution attempt. The document body explicitly mentions 'Get Free Tiktok Followers' and provides links to external sites, including one with an IP address, which are likely intended to lead users to malicious content or scams. No scripts were extracted, but the presence of malicious URIs and the ML classifier's high confidence indicate a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9255

Heuristics 4

  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://netcdn.tw/app/835599320/get-free-tiktok-followers-game-hack
    • http://118.174.0.244/UserFiles/File/how-to-hack-a-roblox-account-2021_GM431946152.pdf
    • http://118.174.0.244/UserFiles/File/is-it-possible-to-get-free-robux_GM431946152.pdf
    • http://118.174.0.244/UserFiles/File/coin-master-free-spins-2021_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002571.bin
5e3c0b4597d9877527b8c3e513283560ffcf3e1d45ca54afa972011b24153d15		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2571 22156 bytes
font_01_sfnt_off000056e8.bin
02c3cedea4a2807b323b614e41e6797ad921ddb65350057b59541dca36dbbb9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56E8 17692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.