Malicious PDF — malware analysis report

Static analysis result for SHA-256 102994712f2c6179…

MALICIOUS

PDF

246.6 KB Created: 2021-04-05 04:56:10 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-07-13
MD5: f0c2306b7ceba99aed69f5941d9175a4 SHA-1: f3ba2657220ca48571a0611ab8fcce0ec375472a SHA-256: 102994712f2c61794c93a3688328133be4f226ea1143015270a2346a4a8fbfb6
112 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains an external URI pointing to a domain associated with Roblox hacks, and a heuristic indicates a password-protected archive lure, suggesting a phishing or malware distribution attempt. ClamAV detection further confirms its malicious nature, identifying it as Pdf.Phishing.Roblox062100-9873116-0. The document body is heavily obfuscated and unreadable, but the presence of embedded URLs and the phishing lure heuristic strongly suggest a malicious intent.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2693

Heuristics 5

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/hacks-for-roblox-catalog-2021 PDF link annotation
    • http://hemmet-strand.dk/images/roblox-royale-high-cheats-for-diamonds.pdfIn PDF document text
    • http://haertetechnik-steinbach.de/images/how-to-fix-hacked-roblox-account.pdfIn PDF document text
    • https://hassel-event.de/images/roblox-number-to-get-free-robux.pdfIn PDF document text
    • https://www.cpnf.ch/images/how-to-hack-a-roblox-account-back.pdfIn PDF document text
    • http://safari-crimea.com/images/hack-vehicle-simulator-roblox-upate-10-12-17.pdfIn PDF document text
    • http://babbibooth.com/images/how-to-hacka-roblox-account.pdfIn PDF document text
    • http://www.mikramarine.gr/images/how-to-play-paid-roblox-games-for-free-2021.pdfIn PDF document text
    • http://evp-sanorlenok.ru/images/how-to-get-a-free-t-shirt-in-roblox.pdfIn PDF document text
    • https://shimony.net/images/roblox-codes-rob-the-bank-hack.pdfIn PDF document text
    • http://manfeld.dk/images/software-for-cheat-engine-66-to-not-make-roblox-crash.pdfIn PDF document text
    • https://consorziocsa-asicaivano.it/images/dansploit-roblox-hack.pdfIn PDF document text
    • http://steklofara.com.ua/images/free-promo-codes-roblox-body.pdfIn PDF document text
    • http://dermaceutic.co.uk/images/nuevo-hack-de-robux-2021-realmente-funciona.pdfIn PDF document text
    • http://gremihostaleria.cat/images/roblox-neon-district-hacking-how-to.pdfIn PDF document text
    • http://dmoraitis.gr/images/how-to-people-hack-into-your-roblox-account.pdfIn PDF document text
    • http://atelierweb.it/images/roblox-how-to-get-free-clothes-2021-no-bc.pdfIn PDF document text
    • http://aistplus.ru/images/aplicacion-rusa-para-free-robux.pdfIn PDF document text
    • http://5346000.com/images/roblox-hack-game-2021.pdfIn PDF document text
    • http://bilhetim.com.br/images/roblox-rainbow-wings-free.pdfIn PDF document text
    • https://www.cosmosdawn.net/images/how-to-get-free-hair-for-avatar-in-roblox.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00037ab4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x37AB4 24684 bytes
SHA-256: 03b31c65932838e79e64a6809bee5d1010e7c1e4286e7e05c7ddddffa7efad61
font_01_sfnt_off0003b2f8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3B2F8 18576 bytes
SHA-256: c8f334c12b439223a4ff4712bc21d8f22a7cc1543cd4ef27a612d99195365f36