Malicious PDF — malware analysis report

Static analysis result for SHA-256 be45827bd1314365…

MALICIOUS

PDF

39.0 KB Created: 2021-05-24 00:43:09 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 51954ab0bf7beca46c668899316deb02 SHA-1: 86fe48abbaa736433b683c64025532519c635527 SHA-256: be45827bd1314365567772a05e325dcd7a90923c736756ffd8bcd66dfdc907e4
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains lures for game hacks and follower bots, including a prominent "CLICK HERE TO ACCESS TIKTOK GENERATOR" call to action. It embeds multiple URLs pointing to potentially malicious files, with one URL being directly referenced in the document body. The ML classifier also flagged this PDF as malicious, indicating a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 4

  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/tiktok-follower-bot-free-game-hack
    • http://www.ksmt.edu.np/assets/ckfinder/userfiles/files/game-hack-coin-master_GM406889139.pdf
    • http://www.ksmt.edu.np/assets/ckfinder/userfiles/files/minecraft-dungeons-free-download_GM479516143.pdf
    • http://www.ksmt.edu.np/assets/ckfinder/userfiles/files/minecraft-fly-hack_GM479516143.pdf
    • http://www.ksmt.edu.np/assets/ckfinder/userfiles/files/minecraft-build-hacks_GM479516143.pdf
    • http://www.ksmt.edu.np/assets/ckfinder/userfiles/files/coin-master-33-hack-version-download_GM406889139.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003123.bin
3fa8897c1cd4e01cd255245beb5a868bba7bc07d8305d14f9d6e714f9fdffe1d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3123 26916 bytes
font_01_sfnt_off00006df8.bin
eb230542719c96b42e3fd8bb01e35f13ebd5f02629049da3a58e7fd7607bf48a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DF8 2940 bytes
font_02_sfnt_off00007807.bin
36efea1239131c533f338518497dff1810050ff8e972c00fb3f35d249e370860		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7807 17912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.