Malicious PDF — malware analysis report

Static analysis result for SHA-256 efd701ca14876501…

MALICIOUS

PDF

39.3 KB Created: 2021-05-22 16:08:19 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: b63ef64dc992206e3e8f38a89054c440 SHA-1: 5163d15dd55f096ce42933bed42cfb32a66bc0c9 SHA-256: efd701ca14876501cb98343e3617218422235e511e85266510a8b2d3eaec0ff8
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains embedded URLs and text promoting a "TikTok Likes Generator" and a "CLICK HERE TO ACCESS TIKTOK GENERATOR" button, indicating a phishing or scam attempt. The presence of a callback lure heuristic suggests a potential for social engineering to extract further information or payment. While no scripts were explicitly extracted, the ML classifier flagged the PDF as malicious, and the embedded URLs are highly suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8068

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/835599320/tiktok-likes-for-free-game-hack
    • http://www.danzamaniapergine.it/images/free-spins-coin-master-2021_GM406889139.pdf
    • http://www.danzamaniapergine.it/images/free-robux-sites-that-work_GM431946152.pdf
    • http://www.danzamaniapergine.it/images/how-to-get-a-free-minecraft-account_GM479516143.pdf
    • http://www.danzamaniapergine.it/images/free-coin-master-spins-daily_GM406889139.pdf
    • http://www.danzamaniapergine.it/images/pokemon-go-free-hack-ios_GM1094591345.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00003238.bin
4fc06e88d4230e73f06198909511c7f0779853dc927a01604e144cc6b7652a3b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3238 26600 bytes
font_01_sfnt_off00007074.bin
02b35010e2614e3cc95ac6414c49295350c91fdfcc4b4cad27ffdbc10e80df7f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7074 2912 bytes
font_02_sfnt_off00007a70.bin
6bc07a916d4e04dd857b15fc22f6a85a1633f574b63a4730ea8dc15634c660b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A70 17456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.