Malicious PDF — malware analysis report

Static analysis result for SHA-256 caff758f7b674725…

MALICIOUS

PDF

35.4 KB Created: 2021-05-21 09:09:15 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 741d9f12d4758faec1ae13a4b250a998 SHA-1: 2336cc62569f66d90122d23213dcad72f025bd39 SHA-256: caff758f7b6747253a41cc1b5cda1f802bb6b682675eb843dbedfaffa1562b52
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains embedded links and a visual call-to-action button, impersonating brands like Facebook to trick users into clicking a link. The primary malicious URL identified is https://netcdn.xyz/app/835599320/free-tiktok-likes-no-human-verification-game-hack, which is associated with a credential phishing lure. The document's structure and embedded links suggest it's designed to lead users to potentially malicious websites offering fake rewards or cheats.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9648

Heuristics 4

  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: https://netcdn.xyz/app/835599320/free-tiktok-likes-no-human-verification-game-hack.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/free-tiktok-likes-no-human-verification-game-hack PDF link annotation
    • http://www.friendshiptransport.net/images/coin-master-daily-rewards-link_GM406889139.pdfIn PDF document text
    • http://www.friendshiptransport.net/images/blox-pink-robux-free_GM431946152.pdfIn PDF document text
    • http://www.friendshiptransport.net/images/master-coin-hack_GM406889139.pdfIn PDF document text
    • http://www.friendshiptransport.net/images/how-to-hack-coin-master-game_GM406889139.pdfIn PDF document text
    • http://www.friendshiptransport.net/images/free-robux-obby-2021_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003387.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3387 23728 bytes
SHA-256: 6d0b870b5312e673d92e89c68ea8aed23eb1e52950df6eb9316eff5ebb2a4e99
font_01_sfnt_off0000693d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x693D 18216 bytes
SHA-256: 7f7a28e514a9270cf7306bcf3dcd1c439e7cbbd643f2c0f311b245f4977e5694