Malicious PDF — malware analysis report

Static analysis result for SHA-256 27b8d693469bd36f…

MALICIOUS

PDF

42.8 KB Created: 2021-04-29 05:04:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: d5cf8c03adc064bcda9c05a2e7e5b029 SHA-1: 0f3604a36d295ec98cc77f16b4012f1f626080de SHA-256: 27b8d693469bd36fc213bab25fdab5b82221717e57905b59313a8c5e41b5b7c5
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous links and a call-to-action phrase, all related to "Roblox hacks" and "generators". The presence of external URIs and a high ML classifier score indicate malicious intent. The document likely serves as a lure to trick users into downloading a second-stage payload from one of the provided URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9836

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/hacking-on-mano-county-roblox-game-hack PDF link annotation
    • https://lib.stie-yai.ac.id/repository/free-robux-no-human-verification-no-survey-2021.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/roblox-free-dominus-hack.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/dantdm-get-free-robux.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/i-got-hacked-playing-roblox.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/how-to-hack-roblox-with-terminal.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/free-robux-2021-code-jamais-utiliser.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/roblox-hack-noclip-download-pc-2021-13-feb.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/cmd-hacks-for-roblox.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/free-robux-obby-2021.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repository/roblox-jason-mask-free.pdfIn PDF document text
    • https://lib.stie-yai.ac.id/repositoIn macro / runtime command snippet
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000040de.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x40DE 24892 bytes
SHA-256: 56fa1b0b789e162bd5031d99b40ec4306c44c120866a8d6f516d138d28a0845f
font_01_sfnt_off000078a8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x78A8 2844 bytes
SHA-256: baad2f3f6808f4af03fa9398e38c580c8d846f7f773a947d8cc1f39b2753d31a
font_02_sfnt_off0000826a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x826A 19212 bytes
SHA-256: c13d0aef5372d33c4a8ed146cb74e54fcee9d30f1c658307916f8d59deba178a