Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ee8d73e6e0669a8…

MALICIOUS

PDF

253.3 KB Created: 2021-04-04 11:02:06 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-07-13
MD5: 74db1403bc49144292e714d5317750c1 SHA-1: d645195421852a0e98508a13f823da46be7a43c7 SHA-256: 0ee8d73e6e0669a85f7a4b125e8742ced3117c0e81842b713a05400e02ed60ed
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a specific phishing signature related to Roblox. The document body, though heavily obfuscated, contains references to 'Speed Hack Roblox 2021' and the authoring application suggests it was generated by wkhtmltopdf, often used for creating PDF documents from web content. Multiple embedded URLs point to sites offering 'Roblox hacks' or 'free Robux', indicating a phishing or malware distribution lure. The presence of external URIs and the nature of the lures suggest an attempt to trick users into downloading potentially malicious software.

Machine Learning

  • Nyx PDF Classifier clean score 0.1358

Heuristics 4

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/speed-hack-roblox-2021-in-any-game PDF link annotation
    • http://aeroclub-kaernten.at/images/flob-fun-robux-hack.pdfIn PDF document text
    • http://ce-tsv-nantes.fr/images/roblox-free-accessories-codes.pdfIn PDF document text
    • http://serviio.org/images/est-il-facile-de-hack-sur-roblox.pdfIn PDF document text
    • http://ims-77.fr/images/how-to-hack-mad-city-in-roblox.pdfIn PDF document text
    • http://tecnodue.com/images/how-to-hack-atm-in-emergancy-response-roblox.pdfIn PDF document text
    • http://www.rezbb.sk/images/roblox-hack-account-free.pdfIn PDF document text
    • https://www.seeingindependence.org/images/bypassed-cheat-engine-roblox.pdfIn PDF document text
    • http://panaceafamilymedicine.com/images/how-to-give-your-self-money-roblox-cheat-enibge.pdfIn PDF document text
    • http://osteonad.com/images/space-frontier-beta-release-hack-roblox.pdfIn PDF document text
    • https://www.apartmanychorvatsko24.cz/images/free-roblox-robux-2021.pdfIn PDF document text
    • https://piscinasmundoacuatico.com/images/roblox-kids-free-robux.pdfIn PDF document text
    • http://vipservice-bg.com/images/roblox-nike-t-shirt-free.pdfIn PDF document text
    • http://gods-own.org/images/free-robux-obby-made-by-stickmasterluke.pdfIn PDF document text
    • http://poltekkeskhjogja.ac.id/images/2021-000000-free-robux.pdfIn PDF document text
    • https://letturatarghe.it/images/free-esp-hack-roblox.pdfIn PDF document text
    • https://open-coffee-drimmelen-geertruidenberg.nl/images/robux-hack-link.pdfIn PDF document text
    • http://fa-deco.com/images/free-robux-today-2021.pdfIn PDF document text
    • http://gestibrok.com/images/roblox-cheat-engine-noclip-fly.pdfIn PDF document text
    • https://zabota-kashira.ru/images/get-my-hacked-roblox-account-back.pdfIn PDF document text
    • https://www.albisser.ch/images/how-to-hack-high-school-life-roblox.pdfIn PDF document text
    • http://www.boic.nl/images/free-robux-cheats-2021.pdfIn PDF document text
    • https://meltonschool.org/images/moon-tycoon-roblox-cheats.pdfIn PDF document text
    • http://businessfit.com/images/roblox-plane-free.pdfIn PDF document text
    • http://imp.lg.ua/images/apps-roblox-hacks.pdfIn PDF document text
    • https://www.ergolight.at/images/free-robux-com-roblox.pdfIn PDF document text
    • http://aeroclub-kaernten.at/images/free-robux-generator-no-human-verification-2021-ios.pdfIn PDF document text
    • https://www.sauvonsleclimat.org/images/hide-cheat-engine-from-roblox.pdfIn PDF document text
    • http://apostolosandreaslemesou.com/images/how-to-do-the-frog-hack-in-roblox.pdfIn PDF document text
    • http://lllaw.eu/images/hack-roblox-windows-10-2021.pdfIn PDF document text
    • http://www.cbgp.upm.es/images/how-to-hack-someones-roblox-account-without-cheat-engine.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0003914e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3914E 25564 bytes
SHA-256: 7088579d7c03b19880c713dc061b1bced551abefbddef847e150891335e51046
font_01_sfnt_off0003cacd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3CACD 18752 bytes
SHA-256: 3354c25f29b4b24bacb489fcc9ed780df634006ad028852e9ed91d87aca20a67