Malicious PDF — malware analysis report

Static analysis result for SHA-256 b998d0a13d7845d9…

MALICIOUS

PDF

39.0 KB Created: 2021-05-22 08:17:23 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 56df9cdf9ad660243b73464c7018027b SHA-1: 23854f53d68f5a594eb073c6ec88658aa0ff4357 SHA-256: b998d0a13d7845d9052478d58b7508e8c5f356a95cec9600676f69a591971b71
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a fake CAPTCHA lure, designed to trick users into clicking embedded links. The primary malicious URL, https://netcdn.xyz/app/835599320/how-to-get-verified-on-tiktok-for-free-game-hack, suggests a social engineering pretext related to online verification or game hacks. The document body and embedded links indicate a phishing attempt to drive users to download potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/how-to-get-verified-on-tiktok-for-free-game-hack
    • http://knjiznica-oroslavje.hr/files/free-100-robux_GM431946152.pdf
    • http://knjiznica-oroslavje.hr/files/free-spin-coin-master-link-2021_GM406889139.pdf
    • https://www.knjiznica-oroslavje.hr/files/minecraft-wurst-client_GM479516143.pdf
    • http://knjiznica-oroslavje.hr/files/how-to-make-a-server-in-minecraft-java-for-free_GM479516143.pdf
    • https://www.knjiznica-oroslavje.hr/files/how-to-get-free-robux-without-downloading-apps_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000034b0.bin
f33c20e6daa0d6918b5e11de8b50ad1ceb7d9ba2ad419aacc4559a156928e441		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34B0 24872 bytes
font_01_sfnt_off00006df2.bin
2f5f0fc0bc2e44a39e81df338c202d2aa9228409b57f32fbedd5805dc83e19fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DF2 2888 bytes
font_02_sfnt_off000077e2.bin
e37ad39f5ad2ca92ca27a26cd5cddcc2f7e09660446c4b75033bd08f8a796cf2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77E2 17928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.