Malicious PDF — malware analysis report

Static analysis result for SHA-256 1625c2fd7b2d579f…

MALICIOUS

PDF

244.2 KB Created: 2021-04-04 09:50:18 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 0d695a4ecc2a27d92745e4b5bae988bb SHA-1: 901b23bdae5778cf3bd68d8a2afb540692c2db8d SHA-256: 1625c2fd7b2d579f192a8ef697fb567e0dc84ee350ae061c4237625887ff0861
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF is identified as an image-only lure, typical of phishing campaigns, and contains a critical ClamAV detection for 'Pdf.Phishing.Roblox062100-9873116-0'. It also embeds a URL pointing to a 'roblox-hack-script', suggesting the document is designed to trick users into downloading or executing malicious content related to game exploits. No scripts were extracted, but the overall structure and embedded URL strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.1227

Heuristics 5

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 244 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/admin-roblox-hack-script
    • http://www.brtes.com/images/free-robux-hack-no-download-no-survey-2021.pdf
    • http://getthelook-bkk.com/images/free-robux-gift-card-codes-no-survey.pdf
    • http://www.art-concept.gr/images/free-script-executor-roblox-2021.pdf
    • http://www.boic.nl/images/free-robux-cheats-2021.pdf
    • https://eleganceautospa.ca/images/free-roblox-hacks-co.pdf
    • http://alpen-seeblick.at/images/roblox-free-car-games.pdf
    • http://britishcomics.com/images/roblox-new-hack.pdf
    • http://www.inservis.cl/images/wheel-decide-free-roblox.pdf
    • http://racunari.in.rs/images/hack-menu-roblox.pdf
    • https://www.wildpark-johannismuehle.de/images/how-do-you-get-free-robux-on-roblox-pc.pdf
    • https://www.gvandenakker.nl/images/free-robux-noe.pdf
    • http://bb-im2.com/images/roblox-jailbreak-fire-truck-hack.pdf
    • http://reisebild.eu/images/free-games-roblox-free-online.pdf
    • https://piscinasmundoacuatico.com/images/roblox-meme-hack-2021.pdf
    • http://finalstand.org/images/free-robux-hack-july-2021.pdf
    • http://safari-crimea.com/images/how-to-get-free-roblox-cash.pdf
    • http://76remont-kvartir.ru/images/how-do-you-hack-through-walls-in-roblox-jailbreak.pdf
    • https://europainstitut.hu/images/how-to-get-free-knives-in-assassin-roblox.pdf
    • http://www.vktzunami.cz/images/can-you-get-banned-on-roblox-for-hacking.pdf
    • http://briankellyforcongress.com/images/roblox-fantastic-frontier-hack.pdf
    • http://jasperfirstumc.com/images/using-free-purchases-on-roblox.pdf
    • http://altc.de/images/roblox-how-to-hack-grand-blox-auto-with-cheat-engine.pdf
    • http://gaeconsultores.cl/images/free-long-good-roblox-names-for-boys.pdf
    • http://rafaelmontesinos.com/images/free-shaggy-old-roblox.pdf
    • http://www.art-concept.gr/images/free-robux-for-roblox-no-human-verification-or-survey.pdf
    • http://schrichte.de/images/how-to-use-roblox-jailbreak-auto-rob-hack.pdf
    • http://iedarelief.us/images/roblox-how-to-get-free-robux-promo-code-2021.pdf
    • http://www.jureclomas.com.ar/images/how-to-get-free-robux-no-download-2021.pdf
    • https://consorziocsa-asicaivano.it/images/como-hackear-roblox-para-tener-robux-gratis-2021.pdf
    • http://legitame.org/images/how-to-hack-roblox-paintball-rank.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00037ec9.bin
90fcc61e8f20b60aad222a27d719882b5dc1957b6cc94ebeeab0d20507f39fd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37EC9 19516 bytes
font_01_sfnt_off0003a79d.bin
f5f04652c104d973fd76e77499614b60c41ac0f9222eb2820c223b8a5642e9b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A79D 18420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.