Malicious PDF — malware analysis report

Static analysis result for SHA-256 213d6935c8134d0f…

MALICIOUS

PDF

234.8 KB Created: 2021-04-04 19:06:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-11
MD5: e3f6f5736b418781f48276d173ed482d SHA-1: 8af9022a33f3d53ac2c6dcedfe57240c48bc9339 SHA-256: 213d6935c8134d0f0c605bbf72695129640075b94fedd6a8a7d912336adb14a2
112 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The file is identified as malicious by ClamAV with a specific phishing signature. Heuristics indicate a brand-impersonation lure for credential phishing, specifically impersonating Apple and directing users to a link for 'free Robux'. The embedded URL, http://gaminggenerator.org/app/431946152/free-robux-no-verification-required, is the primary indicator of this phishing attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0491

Heuristics 5

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: http://gaminggenerator.org/app/431946152/free-robux-no-verification-required.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/free-robux-no-verification-required PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000356e1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x356E1 21380 bytes
SHA-256: 4d409f0f137f17e04844c37ed0c72e57c5e767c9f6b311ffedaade2ae084e2ef
font_01_sfnt_off0003859a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3859A 18636 bytes
SHA-256: fb8764cb2b5112b06ae25f72c6f4dcd5d875941614509f796e56473bffdcd6c3

Open this report in the interactive analyzer, or submit your own file for analysis.