Malicious PDF — malware analysis report

Static analysis result for SHA-256 51857dc603b0100b…

MALICIOUS

PDF

41.4 KB Created: 2021-04-29 00:49:32 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-16
MD5: 209ceea576a399ab8aa142706b2930a1 SHA-1: 2ca1f4336836b988e688b284130797e2dcbd764a SHA-256: 51857dc603b0100b067322faa46b3047058040762d8f7e1d96e0181edcdfa6fd
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains multiple links to external websites that appear to be related to Roblox game hacks and free Robux. The heuristic firings indicate the presence of external URIs and a high ML score for maliciousness. The document also contains a heuristic for security bypass, suggesting it may instruct the user to disable security features, which is a common tactic for malware delivery. The presence of these elements strongly suggests a malicious intent to trick users into visiting potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 4

  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://netcdn.xyz/app/431946152/what-do-you-do-if-you-get-hacked-on-roblox-game-hack PDF link annotation
    • https://guiasderonda.es/ckfinder/userfiles/files/how-to-hack-roblox-free-robux-no-download.pdfIn PDF document text
    • https://guiasderonda.es/ckfinder/userfiles/files/notoriety-roblox-loot-bag-cheat.pdfIn PDF document text
    • https://guiasderonda.es/ckfinder/userfiles/files/bux-city-free-robux.pdfIn PDF document text
    • https://guiasderonda.es/ckfinder/userfiles/files/le-hackean-jugando-a-roblox.pdfIn PDF document text
    • https://guiasderonda.es/ckfinder/userfiles/files/free-robux-codes-no-survey-2021-october.pdfIn PDF document text
    • https://guiasderonda.es/ckfinder/userfiles/files/roblox-counter-blox-wall-hack-download.pdfIn PDF document text
    • https://guiasderonda.es/ckfinder/userfiles/files/character-robux-hack-in-youtube.pdfIn PDF document text
    • https://guiasderonda.es/ckfinder/userfiles/files/free-robux-february-2021.pdfIn PDF document text
    • https://guiasderonda.es/ckfinder/userfiles/files/programas-para-hackear-roblox.pdfIn PDF document text
    • https://guiasderonda.es/ckfinder/userfiles/files/game-like-roblox-free.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004210.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4210 25456 bytes
SHA-256: b1b5b8d5d4077d77ae55843633819243c73641a69eecfd1a30781d27d5e60059
font_01_sfnt_off00007cdd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7CDD 19292 bytes
SHA-256: daf50d7ba61e68651a5513b11abcc4fad2eaf90b8d959d008e231d4d55ff283c