Malicious PDF — malware analysis report

Static analysis result for SHA-256 4757a7cd8a54f772…

MALICIOUS

PDF

58.9 KB Created: 2021-04-06 00:06:54 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 89a14b843a8ce3c58926c855d54a8802 SHA-1: 99bc78cccf0a7642a3731d71eee6f6bba0397f9f SHA-256: 4757a7cd8a54f77243bd4cd70b33a976b1bd5f05f011e2d78ca326ec119efc03
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains numerous embedded URLs and a heuristic firing for a 'game-hack generator link farm', specifically mentioning 'how to get free robux'. The document body, though partially corrupted, contains references to 'wkhtmltopdf' and 'free robux', reinforcing the lure. The presence of multiple external URIs suggests an attempt to redirect the user to malicious websites, likely for credential theft or to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7417

Heuristics 4

  • PDF carries game-hack generator link farm medium PDF_GAME_HACK_LINK_FARM
    PDF contains a gaminggenerator.org app lure together with multiple external PDF links whose filenames advertise game hacks, cheats, jailbreaks, or generators. This is a lure/delivery link farm rather than a PDF exploit: the risk is the linked redirection chain.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/how-to-get-free-robux-with-editthiscookie PDF link annotation
    • http://asiashop-france.fr/images/how-to-get-free-robux-in-roblox-easy.pdfIn PDF document text
    • https://avn.kz/images/how-to-hack-for-free-robux.pdfIn PDF document text
    • http://precisionheavyhaul.com/images/roblox-kkiller-hack.pdfIn PDF document text
    • https://leckeres-geschenk.de/images/www-roblox-com-cheat-in.pdfIn PDF document text
    • http://fiur-malermeister.de/images/games-that-give-you-free-stuff-in-roblox.pdfIn PDF document text
    • http://lanoblaie.fr/images/hacks-to-get-money-on-roblox.pdfIn PDF document text
    • http://clubpure.org/images/roblox-booga-booga-mojo-hack-weardevs.pdfIn PDF document text
    • http://babbibooth.com/images/counter-blox-roblox-offensive-how-to-get-skins-free.pdfIn PDF document text
    • http://www.anies.eu/images/roblox-cheats-for-tix-2021.pdfIn PDF document text
    • http://webstan.be/images/roblox-robux-hack-online-genorator-tool.pdfIn PDF document text
    • http://agrao.in/images/generate-free-robux-gift-card.pdfIn PDF document text
    • http://elitesoftsolutions.com/images/commen-avoir-du-free-robux.pdfIn PDF document text
    • http://bau-lk.de/images/roblox-hacker-cods-fr-redline.pdfIn PDF document text
    • http://bit-sky.com/images/roblox-mouse-fre.pdfIn PDF document text
    • http://vagency.us/images/get-free-items-roblox-pastebin.pdfIn PDF document text
    • https://semanasantacehegin.com/images/hacks-for-roblox-phantom-forces-2021.pdfIn PDF document text
    • http://babyxpress.de/images/hack-roblox-ccv3-particles-not-patched.pdfIn PDF document text
    • https://shimony.net/images/free-roblox-accounts-counter-blox.pdfIn PDF document text
    • https://www.ferienhausdirektkroatien.de/images/hackear-prison-life-roblox-2021-pc-dansploit.pdfIn PDF document text
    • http://imp.lg.ua/images/how-to-enter-fake-details-to-get-free-robux.pdfIn PDF document text
    • https://cdu-lengerich.de/images/how-to-get-a-free-gift-card-on-roblox.pdfIn PDF document text
    • http://agritrade-ukraine.com/images/comment-hacker-roblox-sans-logiciel-youtube.pdfIn PDF document text
    • https://www.cnte.org.br/images/juegos-para-hackear-en-roblox.pdfIn PDF document text
    • https://enpav.it/images/reaper-quest-cheat-engine-roblox.pdfIn PDF document text
    • https://gabrieliassociati.com/images/code-free-robux-2021.pdfIn PDF document text
    • http://nebraskahospitalityhalloffame.com/images/someone-hacked-my-roblox-account-and-changed-my-password.pdfIn PDF document text
    • http://nosocomium.rv.ua/images/how-to-hack-a-roblox-server-2021.pdfIn PDF document text
    • http://www.laborvetro.org/images/roblox-free-download-ps4.pdfIn PDF document text
    • http://ghegamethu.vn/images/free-codes-for-roblox-assassin.pdfIn PDF document text
    • http://www.eurologistiki.gr/images/www-bloxland-com-free-robux.pdfIn PDF document text
    • http://energotestcontrol.ru/images/roblox-weight-lifting-simulator-3-cheats.pdfIn PDF document text
    • https://gigbagwinkel.nl/images/robux-script-free.pdfIn PDF document text
    • http://medimacs.eu/images/roblox-deep-space-tycoon-hack-script.pdfIn PDF document text
    • http://centuriatus.com/images/how-to-make-everything-on-roblox-free.pdfIn PDF document text
    • https://hassel-event.de/images/can-my-childs-friend-hack-roblox-game.pdfIn PDF document text
    • http://www.fanciullovito.it/images/lacify-cheat-roblox.pdfIn PDF document text
    • https://www.tsdb.com.au/images/how-to-get-free-rocket-fuel-roblox.pdfIn PDF document text
    • http://www.lycee-langevin-wallon.com/images/roblox-hack-that-lets-you-swear.pdfIn PDF document text
    • http://www.eaapiaria.es/images/roblox-hacking-cheat-engin.pdfIn PDF document text
    • http://act.gr/images/2021-free-robux-generator.pdfIn PDF document text
    • https://koeltotaal.com/images/how-to-login-to-cerberus-roblox-hacker.pdfIn PDF document text
    • http://clubpure.org/images/roblox-zone-free-robux.pdfIn PDF document text
    • http://nikabio.com/images/free-avatar-animation-roblox.pdfIn PDF document text
    • http://www.hotelcimone.it/images/how-to-teleport-hack-in-roblox.pdfIn PDF document text
    • https://www.gymun.cz/images/how-to-get-free-robux-in-1-minute-2021.pdfIn PDF document text
    • http://techmobil.pl/images/roblox-hacks-2021-epicmini-games.pdfIn PDF document text
    • http://nebraskahospitalityhalloffame.com/images/roblox-xbox-free-packages.pdfIn PDF document text
    • https://ballaratcaravans.com.au/images/how-to-hack-clothes-in-roblox.pdfIn PDF document text
    • https://lesegais.ru/images/roblox-mods-hacks-money.pdfIn PDF document text
    +11 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00008853.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8853 25424 bytes
SHA-256: f4ab0917495e36998f1128e67696ff76dea9f07f7f5677812fdf7c646e81566f
font_01_sfnt_off0000c124.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC124 18672 bytes
SHA-256: a1147a1ae78bdd3616556af175e18deacbfb30328ffa12b69133cd6a0dfca79d