Malicious PDF — malware analysis report

Static analysis result for SHA-256 3596401488b73201…

MALICIOUS

PDF

41.4 KB Created: 2021-04-29 23:12:14 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: af32e92ae194398e0738d03307c279ff SHA-1: f141d0eb85862a23b2660efc978989148fdb2a40 SHA-256: 3596401488b732014a223a96f66d322a545a6325d34e3ce23bf54a6f597af27f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The document contains multiple links to websites offering 'free Roblox toys' or 'hacks', strongly suggesting a phishing or credential harvesting attempt. The ML classifier and the presence of external URIs indicate malicious intent. The document body also contains a direct call to action to 'CLICK HERE TO ACCESS ROBLOX GENERATOR', further supporting the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/how-to-get-free-roblox-toys-game-hack
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/free-robux-no-offers-2021.pdf
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/como-hackear-roblox-adopt-me.pdf
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/www-roblox-com-to-purchase-more-robux-for-free.pdf
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/roblox-kck-hack.pdf
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/how-to-hack-roblox-in-3-steps.pdf
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/a-roblox-game-that-will-give-u-free-robux.pdf
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/cheat-download-for-hacking-roblox.pdf
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/roblox-space-outpost-tycoon-script-hack-2021.pdf
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/roblox-dollar-chain-tshirt-free.pdf
    • http://www.elearning.man2bandung.sch.id/__statics/gudangsoal/files/roblox-hack-menus.pdf
    • https://www.semrush.com/prices/
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000423e.bin
0ad5a1c3671d444065d88a1547a49663aac927f883f08f5deff5a99ce9b05500		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x423E 26448 bytes
font_01_sfnt_off00007fdb.bin
7a585ddb039c299ecc2a78cdfae9591ab62f8dffed72ad96d830b0b0fb84d320		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FDB 18396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.