Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fbb06777c7c7b61…

MALICIOUS

PDF

41.3 KB Created: 2021-04-23 11:27:08 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 6054da265c188218037dd32b06531d03 SHA-1: e74d9a526be44bacf5c92a7fff7277e4679082c4 SHA-256: 4fbb06777c7c7b61847aadfd34733e1a067bf8fabc72b025400752bbb721f5de
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The document displays a fake CAPTCHA and a call-to-action to download a 'Roblox Hack', which is a common lure for users to execute malicious files. The embedded URL points to a suspicious domain likely hosting the payload. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netsecure.top/app/431946152/roblox-hack-ninja-simulator-hacked-game-hack
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/free-obc-accounts-roblox.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/free-items-in-roblox-removed.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/fps-free-games-best-on-roblox-2021-easter.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/se-puede-hackear-nighthawk-imperoum-roblox.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/roblox-exploit-executers-free.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/cheat-roblox-rocitizens.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/free-money-hack-roblox.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/how-to-play-roblox-free-online.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/how-to-hack-roblox-jailbreak-noclip-2021.pdf
    • https://www.wearmyspex.com/uploaded_files/userfiles/files/free-robux-games-that-work.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004230.bin
0edf1b075c442b415c2f4e47595fc9fe33e8a074074d35c9f0e671fdd3af0635		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4230 25732 bytes
font_01_sfnt_off00007d0e.bin
86e4db9da192f5e0b5cf28ea5a48d3614fb1b7b274b473d2bd412d11b52c3876		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D0E 19168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.