Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce09b570c6fa68ae…

MALICIOUS

PDF

38.5 KB Created: 2021-05-21 11:08:30 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 3ce868d79be6f3eef64a2a3b2e2a4e2e SHA-1: 7c0d252e3e0836e3f88dac5cb2ccc8ff4c978746 SHA-256: ce09b570c6fa68aea88d55ab21e337b4188aaa51b605f3e53230821d6da0bfff
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a prominent call-to-action to 'CLICK HERE TO ACCESS TIKTOK GENERATOR', linking to a suspicious domain. The ML classifier also flagged this PDF as malicious. The presence of these elements suggests the document is designed to trick users into downloading or accessing potentially harmful content, likely a downloader or exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/free-tiktok-like-game-hack
    • https://www.gvandenakker.nl/images/free-spins-and-coins-com_GM406889139.pdf
    • https://www.gvandenakker.nl/images/how-to-make-roblox-clothes-for-free_GM431946152.pdf
    • https://www.gvandenakker.nl/images/robux-free-robux_GM431946152.pdf
    • https://www.gvandenakker.nl/images/coin-master-free-spin-link-daily_GM406889139.pdf
    • https://www.gvandenakker.nl/images/robux-free-gift-card_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003189.bin
f958cd75db29e574809c433c12fa4a0c3b1a558ad7c5c5255a42d1854bc3cca3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3189 24320 bytes
font_01_sfnt_off0000693a.bin
f47df3b7738a700c344184abddadcbb7a56fe8553145bc129db715bdc12738e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x693A 4268 bytes
font_02_sfnt_off00007775.bin
2612e5e228ce8c424fcb3a100408051ce9a88b2c89e0201ab469a717737f635a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7775 17456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.