Malicious PDF — malware analysis report

Static analysis result for SHA-256 e249acf7b3cfecd8…

MALICIOUS

PDF

38.7 KB Created: 2021-05-25 11:03:29 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-17
MD5: de21a90b66171eb50038b2f5f1f650c6 SHA-1: e43e7bf3355de8ddcd70f06826fc8a11fb2b387f SHA-256: e249acf7b3cfecd8e6d4b73ffdf3b5df439ec4de005111aea1fb6445fc5f497f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a link disguised as a 'free generator / game hack' for TikTok followers, which redirects to a malicious URL. This lure is a common social engineering tactic to trick users into visiting potentially harmful sites. While no scripts were directly executed, the PDF structure and embedded links suggest an attempt to redirect the user to a malicious resource, likely for further exploitation or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8060

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/tiktok-follower-bot-free-game-hack PDF link annotation
    • http://elearning.man1indramayu.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-without-verification_GM431946152.pdfIn PDF document text
    • http://elearning.man1indramayu.sch.id/__statics/gudangsoal/files/coin-master-tips_GM406889139.pdfIn PDF document text
    • http://elearning.man1indramayu.sch.id/__statics/gudangsoal/files/minecraft-free_GM479516143.pdfIn PDF document text
    • http://elearning.man1indramayu.sch.id/__statics/gudangsoal/files/how-to-get-free-robux-without-doing-anything_GM431946152.pdfIn PDF document text
    • http://elearning.man1indramayu.sch.id/__statics/gudangsoal/files/how-to-get-hacks-on-roblox_GM431946152.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003039.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3039 26852 bytes
SHA-256: c068c35bfdb2b2ec6ec90df338d6e7d231174f4e4ac116dca0a4e5808bc38a3f
font_01_sfnt_off00006ce1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6CE1 2940 bytes
SHA-256: eb230542719c96b42e3fd8bb01e35f13ebd5f02629049da3a58e7fd7607bf48a
font_02_sfnt_off000076f0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x76F0 17912 bytes
SHA-256: 36efea1239131c533f338518497dff1810050ff8e972c00fb3f35d249e370860