Malicious PDF — malware analysis report

Static analysis result for SHA-256 397b4ba3e11f20bb…

MALICIOUS

PDF

63.9 KB Created: 2021-04-06 00:37:58 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-11
MD5: ff9e30c2ffc15b28c543fdd60df0a3ac SHA-1: 50bf71a58323e471b924adf8b5c8255266315d61 SHA-256: 397b4ba3e11f20bb06572695b71de3a97f4d312128f07b9cf4eaaa57b0087023
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains numerous URLs pointing to sites offering game-related cheats and downloads, suggesting a lure for potentially unwanted software or scams. The heuristic 'SE_SECURITY_BYPASS' indicates the document may instruct users to disable security software, a common tactic in malicious campaigns. Although no scripts were explicitly extracted, the ML classifier and the presence of external URIs suggest a malicious intent, likely to exploit vulnerabilities or trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6301

Heuristics 4

  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/synapse-x-free-download-roblox PDF link annotation
    • http://grand-ural74.ru/images/how-to-get-free-robux-on-mac-2021.pdfIn PDF document text
    • http://amtabor2.at/images/free-roblox-cash.pdfIn PDF document text
    • https://www.cfdcnv.com/images/do-the-obby-for-free-robux.pdfIn PDF document text
    • https://www.osoc.com/images/free-v-bucks-for-roblox.pdfIn PDF document text
    • https://billiekawende.com/images/roblox-is-bieg-hacked.pdfIn PDF document text
    • http://stroybelan.ru/images/roblox-anti-crash-hack.pdfIn PDF document text
    • http://www.eurosan1.ba/images/cheat-codes-roblox-xbox-one.pdfIn PDF document text
    • http://www.cosver.nl/images/breaking-point-roblox-hack-2021.pdfIn PDF document text
    • http://immo360grad.com/images/roblox-cheat-engine-hacks-2021.pdfIn PDF document text
    • http://jakthund.org/images/a-game-on-roblox-that-gives-you-free-robux.pdfIn PDF document text
    • http://www.zdravazena.sk/images/free-catalog-roblox-items.pdfIn PDF document text
    • http://www.nielsen2u.dk/images/roblox-hack-robux-promo-code.pdfIn PDF document text
    • http://www.eurosan1.ba/images/el-mejore-hack-de-roblox-marzo.pdfIn PDF document text
    • http://www.comitatoiseo.org/images/rbx-points-free-robux.pdfIn PDF document text
    • http://www.cosver.nl/images/roblox-ways-to-cheat-money-on-vehicle-simulater.pdfIn PDF document text
    • https://www.olboys.it/images/free-roblox-usernames-and-passwords-with-robux.pdfIn PDF document text
    • http://racunari.in.rs/images/roblox-hack-explot.pdfIn PDF document text
    • http://daksz.hu/images/how-to-get-1-robux-free.pdfIn PDF document text
    • https://pagadder.com/images/roblox-jailbreak-how-to-get-all-cars-free.pdfIn PDF document text
    • http://www.dcgsrl.it/images/how-to-get-free-visits-on-roblox.pdfIn PDF document text
    • http://garrisonjazz.com/images/roblox-sign-in-free-online.pdfIn PDF document text
    • http://www.actae.gr/images/good-codes-to-get-free-robux-2021.pdfIn PDF document text
    • http://www.gearestauri.it/images/roblox-hack-2021-free-robux.pdfIn PDF document text
    • https://ambarevleri.com/images/hack-youtube-roblox-game.pdfIn PDF document text
    • http://dorfgaragethalwil.ch/images/roblox-free-clothes-hack-mobile.pdfIn PDF document text
    • https://liceucastrodelapenya.com/images/free-roblox-blox-piece-hacks.pdfIn PDF document text
    • http://www.tamogatoweb.hu/images/how-to-hack-roblox-jailbreak-money-2021.pdfIn PDF document text
    • https://leckeres-geschenk.de/images/robux-hack-video.pdfIn PDF document text
    • http://news123.it/images/free-robux-for-real-without-email-needed.pdfIn PDF document text
    • https://www.hotschool.com.au/images/cheat-dungeon-quest-roblox-20s.pdfIn PDF document text
    • https://pneukalousek.cz/images/comment-maitre-de-dinosaure-dans-free-dino-tycoon-roblox.pdfIn PDF document text
    • http://sbm-nn.ru/images/free-robux-games-working.pdfIn PDF document text
    • http://precisionheavyhaul.com/images/roblox-hack-cheat-buddy.pdfIn PDF document text
    • http://www.kalaaliaraq.dk/images/how-to-become-builders-club-on-roblox-for-free.pdfIn PDF document text
    • https://gzog.pl/images/how-to-hack-on-roblox-wolf-games.pdfIn PDF document text
    • http://fratellimazzoleni.it/images/free-robux-rbx-place.pdfIn PDF document text
    • http://legitame.org/images/codes-for-roblox-free-robux.pdfIn PDF document text
    • https://estalagemmonteverde.com.br/images/roblox-tampermonkey-hack.pdfIn PDF document text
    • https://grovehilloutfitters.com/images/how-to-get-free-robux-wikihow.pdfIn PDF document text
    • http://geemarco.com/images/how-to-get-free-robux-items-on-roblox.pdfIn PDF document text
    • http://glll.de/images/roblox-get-free-robux-2021.pdfIn PDF document text
    • http://www.copoint.co.uk/images/roblox-coloring-sheets-free.pdfIn PDF document text
    • https://pemadamapi.net/images/generateur-robux-free.pdfIn PDF document text
    • http://arcnjournals.org/images/how-to-speed-hack-with-cheat-engine-on-roblox.pdfIn PDF document text
    • http://glll.de/images/roblox-jump-hack-code.pdfIn PDF document text
    • https://roberto-gac.com/images/logo-hacker-roblox.pdfIn PDF document text
    • https://www.air-shop.cz/images/roblox-free-admin-house.pdfIn PDF document text
    • http://erptrends.com/images/roblox-hack-unlimited-robux-tool4u-vip-roblox.pdfIn PDF document text
    • http://jakthund.org/images/a-game-on-roblox-that-gives-you-free-In PDF document text
    +12 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00008072.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8072 40020 bytes
SHA-256: 809b43b85bbace0139ffdb671942ff64b63a53e62c3659ee85fdc8ca5f85d50f
font_01_sfnt_off0000d5e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD5E7 18624 bytes
SHA-256: fe0f8b09ca32619b43d0005435637fed626b6227276d8b978cddae1463309191

Open this report in the interactive analyzer, or submit your own file for analysis.