PDF malware analysis — malicious · 3e2302c2f8f37e55

MALICIOUS

PDF

60.2 KB Created: 2021-04-05 18:38:42 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)

MD5: 2a11ffea8657da838415279d7663c2a6 SHA-1: 94de99442af3a8901a82624f6dea9bf2581304b1 SHA-256: 3e2302c2f8f37e55c28cde5de130e5498eed73f777d1ffb54aa1c18611b43fae

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF document contains numerous URLs related to game cheats and hacks, specifically for Roblox, and includes a high-confidence ML classifier flagging it as malicious. The document body, though heavily obfuscated, contains references to 'cheater-sur-roblox-nul' and a URL that appears to be the primary lure. The presence of external URIs and the overall context suggest a phishing attempt to trick users into downloading malware disguised as game cheats.

Machine Learning

Nyx PDF Classifier malicious score 0.6193

Heuristics 4

LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND

Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://gaminggenerator.org/app/431946152/cheater-sur-roblox-nul
- http://androidthai.in.th/images/full-throttle-hack-script-roblox.pdf
- http://svp-steinmaur.ch/images/robot-animation-free-roblox.pdf
- https://www.yewtreealpacas.co.uk/images/how-to-get-free-tix-on-roblox-high-school.pdf
- http://www.vktzunami.cz/images/adopt-me-roblox-getting-hacked.pdf
- http://standart-lab.ru/images/best-roblox-games-with-free-beat-box.pdf
- http://salantiskis.lt/images/roblox-restraunt-tycoon-hacks.pdf
- http://legs11.co.za/images/best-exploit-roblox-free.pdf
- http://ivalor.fr/images/learn-to-hack-roblox.pdf
- http://www.art-concept.gr/images/how-get-free-items-in-roblox.pdf
- https://icefuture.ru/images/infinite-jump-hack-for-roblox-devs.pdf
- https://pagadder.com/images/get-free-robux-by-downloading-games.pdf
- http://jaeger-bauplanung.de/images/how-to-get-free-robux-without-hacking.pdf
- http://www.centrodelsorriso.it/images/roblox-dll-hacks-2021.pdf
- http://www.fanciullovito.it/images/weapon-hack-roblox-pastebin.pdf
- https://bapalaye.org/images/free-roblox-hack-tool.pdf
- http://www.cosver.nl/images/outlook-team-hack-roblox.pdf
- https://zszolesno.pl/images/roblox-strucid-hit-box-hack.pdf
- http://greasley.online/images/roblox-bgs-hacks.pdf
- https://enpav.it/images/roblox-hack-google-chrome.pdf
- http://www.lycee-langevin-wallon.com/images/big-booga-dig-roblox-hack.pdf
- http://greenoase.be/images/roblox-solo-hack-client.pdf
- http://batutynas.lt/images/how-to-get-clothes-for-free-on-roblox-2021.pdf
- https://www.nema.go.ke/images/how-to-get-free-faces-on-roblox-phone.pdf
- http://www.mjclautrec.fr/images/rollercoaster-tycoon-roblox-cheats.pdf
- http://smart-pro.co.uk/images/how-to-get-free-robux-for-games.pdf
- http://asiasieja.pl/images/free-lvl-7-roblox-executor.pdf
- http://gitagasht.com/images/baby-hacks-in-adopt-and-raise-a-baby-in-roblox.pdf
- http://ernstgloves.co.il/images/neil-free-robux.pdf
- https://www.romedia.gr/images/free-skin-roblox-wiki.pdf
- http://akademiatenisa.org/images/roblox-mad-city-cheat-commands.pdf
- http://domaizdereva24.ru/images/how-to-get-20210-robux-for-free-2021.pdf
- https://www.ghknights.org/images/roblox-2021-free-robux-give-away.pdf
- http://lllaw.eu/images/free-roblox-cmds.pdf
- http://www.torvet11.dk/images/easy-how-to-get-free-robux.pdf
- http://axia-verlag.at/images/free-dungeon-hack-roblox.pdf
- http://junktiquecollector.com/images/como-volar-en-criminal-vs-swat-roblox-hack.pdf
- http://agrupamentoescolas-alfredo-da-silva.com/images/download-roblox-hack-filesblue.pdf
- https://www.laarsenco.nl/images/free-robux-pastebin-2021.pdf
- http://cosver.eu/images/roblox-hack.pdf
- https://www.yewtreealpacas.co.uk/images/free-bc-roblox-2021.pdf
- https://www.milewood.co.uk/images/roblox-assassin-hacks-2021.pdf
- https://www.sitiwebjoomla.it/images/free-builder-member-in-roblox.pdf
- http://www.maakherumusic.net/images/apocalypse-rising-roblox-hacks-2021.pdf
- http://cristalysoptic.com/images/free-bombox-on-roblox.pdf
- http://bkd1.balikpapan.go.id/images/roblox-hack-without-survey.pdf
- https://www.foodsafety.cz/images/roblox-gift-card-free-2021.pdf
- http://possumholler.us/images/roblox-codes-cheating.pdf
- http://poltekkeskhjogja.ac.id/images/30-free-robux.pdf
- https://socialvalue.gr/images/free-brown-pant-roblox.pdf
+15 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_003_off00008194.bin` `021f0bf482706d5ee314a8c2c2c530a75ebe3f13c4e6ed725c901a139b296d17`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x8194	25952 bytes
`font_01_sfnt_off0000bc80.bin` `9853ca89115022285623111534c9ddc4f1dd062ee785b99bc0edec496de21ae2`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xBC80	3936 bytes
`font_02_sfnt_off0000c969.bin` `a7e78cd86336c72ae809c4c7c19bc71c41c4af59c2eccc32444958c650bfc650`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC969	17652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.