Malicious PDF — malware analysis report

Static analysis result for SHA-256 102b805c30f6aedb…

MALICIOUS

PDF

59.6 KB Created: 2021-04-05 18:20:54 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-16
MD5: cb8d6748712475c3e8c7e387bceb4a4f SHA-1: a7aee9c58da1c9ca69dfd93b7d570c3759b05a66 SHA-256: 102b805c30f6aedb885c8909f5342936fbf0f8da4a547b74891db9933457a664
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document employs social engineering tactics, including a fake CAPTCHA and a download lure, to trick users into downloading potentially malicious files related to the game Roblox. The embedded URLs and document body content strongly suggest a lure for downloading hacking tools or cheats. While no scripts were explicitly extracted, the PDF structure and heuristic firings indicate a malicious intent to deceive users into executing further malicious actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7417

Heuristics 5

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/roblox-hack-lucky-patcher PDF link annotation
    • https://bancroftandsons.com/images/free-script-exporters-roblox.pdfIn PDF document text
    • https://technospektr.com.ua/images/roblox-for-free-on-phone.pdfIn PDF document text
    • http://armatrutz.de/images/how-to-hack-anyone-account-on-roblox.pdfIn PDF document text
    • https://www.iadh.bi/images/free-aesthetic-clothes-roblox.pdfIn PDF document text
    • http://news123.it/images/free-robux-code-genrator.pdfIn PDF document text
    • http://huananhai.net/images/how-to-hack-peoples-accounts-roblox.pdfIn PDF document text
    • http://bilhetim.com.br/images/roblox-jailbreak-money-hack-2021-download.pdfIn PDF document text
    • http://elllanorestaurants.com/images/roblox-hide-n-seek-cheats.pdfIn PDF document text
    • https://www.mvp.co.nz/images/como-hackear-cuentas-de-roblox-sin-necesidad-de-contrasea.pdfIn PDF document text
    • https://www.gymun.cz/images/synapse-roblox-exploit-free.pdfIn PDF document text
    • http://www.lascalamilanowallcovering.it/images/roblox-hack-deutsch-pc-2021.pdfIn PDF document text
    • http://dorfgaragethalwil.ch/images/doomspire-brickbattle-hack-roblox.pdfIn PDF document text
    • http://kids-academy.pl/images/como-tener-mucho-dinero-en-jailbreak-roblox-hack.pdfIn PDF document text
    • https://verdensbarn.no/images/free-robux-hack-no-survey-2021.pdfIn PDF document text
    • http://canadatowers.com/images/get-free-robux-today-only.pdfIn PDF document text
    • http://jointworkstudio.com/images/how-to-get-a-free-vip-server-on-roblox-2021.pdfIn PDF document text
    • https://newenglandafs.com/images/vip-server-roblox-free.pdfIn PDF document text
    • http://batterikongen.no/images/free-roblox-clothing-2021.pdfIn PDF document text
    • http://www.conservatoriolecce.it/images/how-to-hack-money-in-gta-5-roblox.pdfIn PDF document text
    • http://the-specials.ch/images/black-jacket-roblox-free.pdfIn PDF document text
    • http://yogaschooldecypres.be/images/roblox-jailbreak-hack-how-to-through-walls-hack-new-2021.pdfIn PDF document text
    • https://pa-waingapu.go.id/images/robux-hack-discord.pdfIn PDF document text
    • http://io24.com.ar/images/how-to-get-robux-free-no-verification.pdfIn PDF document text
    • https://www.beaufortcollege.ie/images/robux-free-net.pdfIn PDF document text
    • http://sdservicesrl.it/images/roblox-zombie-tsunami-hack.pdfIn PDF document text
    • https://bgescc.com/images/roblox-people-getting-passes-for-free.pdfIn PDF document text
    • https://www.seeingindependence.org/images/how-to-get-free-robux-guava-juice.pdfIn PDF document text
    • https://pagadder.com/images/fisicuffs-roblox-cheats.pdfIn PDF document text
    • http://poltekkeskhjogja.ac.id/images/hack-roblox-exploiting.pdfIn PDF document text
    • https://www.academiaanticorrupcion.org/images/free-shirts-roblox-happydaved.pdfIn PDF document text
    • https://www.wadowice24.pl/images/auto-clicker-for-roblox-mac-free.pdfIn PDF document text
    • http://firstaidacademy.be/images/free-money-codes-on-roblox-skywars.pdfIn PDF document text
    • http://hotel-buta.by/images/filedropper-roblox-hack.pdfIn PDF document text
    • https://www.wildpark-johannismuehle.de/images/how-to-hack-on-roblox-jailbreak-2021.pdfIn PDF document text
    • http://hindicenter.com/images/este-pagina-hack-te-regala-muchos-robux-en-roblox-funcionando.pdfIn PDF document text
    • http://businessfit.com/images/codes-admin-get-free-robux-roblox.pdfIn PDF document text
    • http://goosesscuba.com/images/como-hacer-hacks-en-roblox.pdfIn PDF document text
    • http://schottlandfieber.de/images/https-blox-land-free-robux.pdfIn PDF document text
    • http://immo360grad.com/images/redeem-code-roblox-free-robux.pdfIn PDF document text
    • http://www.campiresine.it/images/how-to-get-free-roblox-for-real.pdfIn PDF document text
    • https://www.tsdb.com.au/images/bc-accounts-roblox-free.pdfIn PDF document text
    • http://nevesomost.by/images/free-robux-services.pdfIn PDF document text
    • http://lllaw.eu/images/roblox-build-battle-hack.pdfIn PDF document text
    • https://consorziocsa-asicaivano.it/images/can-robux-generator-hack.pdfIn PDF document text
    • http://cdescolapios.org/images/get-robux-free-button.pdfIn PDF document text
    • http://bressanassessoria.com.br/images/get-robux-free-scrach.pdfIn PDF document text
    • http://www.agri-tech.com.au/images/how-to-get-free-robux-in-roblox-games.pdfIn PDF document text
    • http://halal-center.ru/images/how-to-curse-on-roblox-hack.pdfIn PDF document text
    • http://jobsy.com.sg/images/roblox-prison-life-20-hack.pdfIn PDF document text
    +16 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00008a9c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8A9C 25900 bytes
SHA-256: 6a58d39725f4c12375914f7260ddcccd1ef9c675801c98fd906743999fe309cb
font_01_sfnt_off0000c51f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC51F 18296 bytes
SHA-256: 4e9c5d536b4787e9aed2be3b3899086409cfe316c86c9923ba23545c78ff9215