Malicious PDF — malware analysis report

Static analysis result for SHA-256 11ada0a8e7f50fa4…

MALICIOUS

PDF

39.6 KB Created: 2021-05-25 07:00:55 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 0b585138e78c6262bcb34bb1c725c8d0 SHA-1: c618a4aafb1625d55513bf42258e27b6803f4b1d SHA-256: 11ada0a8e7f50fa49bef15e162cf4e565a7149abf41d466135741805758d8f8a
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs and a prominent call-to-action phrase, suggesting a phishing or social engineering attempt. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs and a clickable URI pointing to an IP address further supports this. The document body mentions 'Roblox Hack Client' and 'CLICK HERE TO ACCESS ROBLOX GENERATOR', indicating a lure for potentially malicious downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9476

Heuristics 4

  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/roblox-hack-client-game-hack
    • http://183.91.70.11/repository/give-me-robux_GM431946152.pdf
    • http://183.91.70.11/repository/how-to-get-roblox-premium-for-free_GM431946152.pdf
    • http://183.91.70.11/repository/robux-win_GM431946152.pdf
    • http://183.91.70.11/repository/roblox-adopt-me-hack_GM431946152.pdf
    • http://183.91.70.11/repository/microsoft-bing-free-robux_GM431946152.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000359d.bin
2284f20e87aa477ce49aa9764ef1afc195087dd54bd0e5742c77045feacab5ea		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x359D 29888 bytes
font_01_sfnt_off00007929.bin
550f62bb1f49814ef42b1b735b63b4edf215944f9d7482118736a3d91d594bfc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7929 18408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.