Malicious PDF — malware analysis report

Static analysis result for SHA-256 090f56d190438acc…

MALICIOUS

PDF

54.4 KB Created: 2021-04-06 15:02:14 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-12
MD5: 9b018deda10df5746dd80a6d6ccd94f6 SHA-1: 5707c2a61b9b75881d5ab0d6ba4a0e4493223bfd SHA-256: 090f56d190438acc1b8da8b95db925828f05a4ccc6f344073838707d8516c806
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple lures related to "game hacks" and "free Robux", directing users to external URLs. The primary URL, https://enigmagenerator.com/app/431946152/roblox-game-hack, is flagged as a redirector for game hacks. This indicates a social engineering tactic to trick users into visiting malicious sites, likely for phishing or malware distribution. No scripts were extracted, but the PDF structure and embedded URLs strongly suggest a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8413

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://enigmagenerator.com/app/431946152/roblox-game-hack PDF link annotation
    • http://www.fluidtech.hu/images/how-to-get-free-robux-generator-no-human-verification.pdfIn PDF document text
    • https://www.wildpark-johannismuehle.de/images/how-to-download-hack-roblox-jailbreak.pdfIn PDF document text
    • http://internetdeputy.com/images/fun-games-to-hack-on-roblox.pdfIn PDF document text
    • https://www.guterdj.de/images/free-code-card-robux.pdfIn PDF document text
    • http://www.jureclomas.com.ar/images/how-to-get-free-robux-legit-not-a-scam.pdfIn PDF document text
    • https://imagineclimb.com/images/hack-de-restaurant-tycoon-roblox.pdfIn PDF document text
    • https://www.stoehr-sauer.de/images/roblox-how-to-get-free-animation-packs.pdfIn PDF document text
    • https://www.milewood.co.uk/images/how-to-make-developer-products-free-on-roblox.pdfIn PDF document text
    • http://ipdrs.org/images/roblox-xxtrefetrxx-is-hacking.pdfIn PDF document text
    • http://aadvanderklaauw.nl/images/when-is-vesteria-roblox-predicted-to-be-free.pdfIn PDF document text
    • http://ghegamethu.vn/images/is-roblox-being-hacked-2021.pdfIn PDF document text
    • http://arch-centr.ru/images/free-robux-no-human-verification-no-email.pdfIn PDF document text
    • https://www.ergolight.at/images/roblox-build-a-boat-for-treasure-hack-download.pdfIn PDF document text
    • https://piscinasmundoacuatico.com/images/in-roblox-field-of-battle-how-do-you-hack.pdfIn PDF document text
    • http://domaizdereva24.ru/images/insert-gear-roblox-hack.pdfIn PDF document text
    • http://iprep-u.com/images/how-to-get-robux-for-free-editthiscookie.pdfIn PDF document text
    • http://www.prylfabriken.se/images/roblox-speed-cheat.pdfIn PDF document text
    • http://subarulegacy.com/images/roblox-online-us-roblox-hack.pdfIn PDF document text
    • https://roberto-gac.com/images/i-am-now-crying-because-i-got-hacked-roblox.pdfIn PDF document text
    • http://unc-europe.com/images/genewin-how-to-get-free-robux.pdfIn PDF document text
    • http://schrichte.de/images/how-to-get-free-catalog-items-on-roblox-vortex.pdfIn PDF document text
    • http://www.hotelcimone.it/images/roblox-building-hacker-gegen.pdfIn PDF document text
    • http://cadcam.no/images/prison-life-vending-machine-gives-free-robux-roblox.pdfIn PDF document text
    • http://precisionheavyhaul.com/images/free-robux-easy-money.pdfIn PDF document text
    • http://ghhs.com.my/images/chat-hack-roblox.pdfIn PDF document text
    • http://shootawayproduction.com/images/how-to-get-free-robux-no-hack-or-download.pdfIn PDF document text
    • https://socialvalue.gr/images/how-to-have-bc-free-roblox-2021.pdfIn PDF document text
    • http://bagliomangiapane.com/images/how-to-use-game-hacker-on-roblox.pdfIn PDF document text
    • http://gvtssp.org/images/easy-roblox-hack-2021.pdfIn PDF document text
    • http://gestibrok.com/images/free-roblox-exploit-lua-script-executor-free-no-virus.pdfIn PDF document text
    • http://www.peterdejonge.nl/images/how-to-get-unlimited-free-robux-on-roblox-2021-jefftec.pdfIn PDF document text
    • http://www.anies.eu/images/roblox-r-cheats-2021.pdfIn PDF document text
    • http://www.lycee-langevin-wallon.com/images/how-to-cheat-in-roblox-eep-city-starball.pdfIn PDF document text
    • https://www.saisystem.it/images/free-robux-generator-activation-code.pdfIn PDF document text
    • https://verdensbarn.no/images/how-to-get-free-clothes-in-roblox-2021.pdfIn PDF document text
    • https://masseymotorcars.com/images/free-robux-hack-website.pdfIn PDF document text
    • https://www.archimadrid.org/images/flobfun-roblox-hacker-sur-pc.pdfIn PDF document text
    • http://properteez.com/images/roblox-free-username-change.pdfIn PDF document text
    • http://posterprintshop.nl/images/free-abs-roblox.pdfIn PDF document text
    • http://alexandrion.com/images/easy-hack-method-roblox.pdfIn PDF document text
    • http://riccardodurso.it/images/roblox-chrome-extension-hack.pdfIn PDF document text
    • http://biccairo.com/images/games-in-roblox-to-get-free-robux.pdfIn PDF document text
    • http://hk-kan.org/images/how-to-become-a-roblox-admin-for-free.pdfIn PDF document text
    • http://elitesoftsolutions.com/images/hack-scripts-for-roblox-trackid-sp006.pdfIn PDF document text
    • http://linde-erbach.de/images/roblox-cartoony-animation-free.pdfIn PDF document text
    • https://grovehilloutfitters.com/images/how-to-get-admin-commands-on-roblox-for-free.pdfIn PDF document text
    • https://roberto-gac.com/images/roblox-island-royale-free.pdfIn PDF document text
    • https://www.gymun.cz/images/how-to-hack-peoples-accounts-in-roblox.pdfIn PDF document text
    • http://arthakranti.org/images/free-robux-pastebin-promocode.pdfIn PDF document text
    +18 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00007469.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7469 25204 bytes
SHA-256: 42f1a5fce99443e91599b246c056f1e42102063a34487216908e9ada69cdb402
font_01_sfnt_off0000aeec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAEEC 18892 bytes
SHA-256: 3c7f10289f00190335fec00a30f0dc9eec15a9174f1c14f6c972da5d9cd6dd0f