Malicious PDF — malware analysis report

Static analysis result for SHA-256 5deb6d67ea678bbb…

MALICIOUS

PDF

247.1 KB Created: 2021-04-05 04:31:33 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: cb7e594b0f3ae5561c2bb15292fef7de SHA-1: c2d017191ff0b1ea06186974fa586c73bbe6c159 SHA-256: 5deb6d67ea678bbb7bb43c46e57edfc9f0fcb0ed824ef9b49893380be66d33c0
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a specific signature indicating a phishing attempt related to Roblox. The document body, though heavily obfuscated, contains text suggesting a lure for 'Free Robux Easy No Human Verification'. The presence of external URIs pointing to similar download lures reinforces this phishing attack pattern. No scripts were extracted, but the PDF structure and embedded URIs are indicative of a social engineering tactic.

Machine Learning

  • Nyx PDF Classifier clean score 0.1052

Heuristics 4

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/free-robux-easy-no-human-verification
    • http://teknotools.net/images/free-cerberus-roblox.pdf
    • http://escolaarboc.cat/images/free-robux-hack-2021-computer.pdf
    • https://www.eglihotel.gr/images/free-roblox-cbro-hacks.pdf
    • http://ivalor.fr/images/free-roblox-coes.pdf
    • http://www.visiblefilm.com/images/free-robux-get-now.pdf
    • https://stroyzakazremont.ru/images/cheat-engine-roblox-2021.pdf
    • https://hbpbenin.com/images/free-admin-roblox-codes.pdf
    • http://www.bbnest.it/images/roblox-free-play-no-install.pdf
    • http://gops.pruszczgdanski.pl/images/how-to-cheat-in-fame-simulator-roblox.pdf
    • http://santeh-40.ru/images/roblox-jailbreak-hack-exploit.pdf
    • https://gryps.de/images/free-robux-hack-without-survey.pdf
    • http://www.sitiamministrabili.it/images/good-unifrom-making-software-free-roblox.pdf
    • http://seniorenverband-brh-nds.de/images/hack-roblox-jailbreak-money.pdf
    • https://www.stkdb.cz/images/free-roblox-accounts-june-2021.pdf
    • http://domaizdereva24.ru/images/insert-gear-roblox-hack.pdf
    • http://torkelson.se/images/como-descargar-roblox-hack-para-pc.pdf
    • http://giolantapepe.gr/images/roblox-jailbreak-hack-2021-noclip.pdf
    • http://www.pro-futuro.eu/images/rblx-gg-tons-of-robux-free.pdf
    • http://unc-europe.com/images/roblox-script-executor-free-download-2021.pdf
    • http://bwharrisalumniusa.org/images/earn-free-robux-legit.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000370c1.bin
3b71b559ed64e39a872319528d41012ed0a013cb6600e80281b24b76d0adfc34		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x370C1 23524 bytes
font_01_sfnt_off0003a648.bin
43e72e756231cfd354bd65c2ed3b09ad4eff56ad11e7f155ed2920e6bb7860dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A648 3992 bytes
font_02_sfnt_off0003b36f.bin
9d660857d9363a69a563c0846f88e24ec5ba871c9d462c72bf328985ec35ebcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B36F 18928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.