Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e6dffb19a408141…

MALICIOUS

PDF

254.1 KB Created: 2021-04-05 16:20:12 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 552aaec7e387d92bb86045296b35071b SHA-1: 8006524c1e972eca9803f93fd154fcb665fe024f SHA-256: 5e6dffb19a40814173f9fa86acc5125b49b252291657c0fd7619d5aca26d0650
112 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document detected by ClamAV as phishing malware. It contains multiple embedded URLs related to Roblox hacks and exploits. The document body, though heavily obfuscated, combined with the 'SE_CLIPBOARD_COMMAND_LURE' heuristic, suggests the user is being prompted to interact with shell commands, likely to download or execute a malicious payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0958

Heuristics 5

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/roblox-hack-ios-jailbreak
    • http://southernhills-golf.com/images/roblox-hack-top.pdf
    • http://schlossschaenke-andernach.de/images/free-roblox-exploits-2021.pdf
    • http://iedarelief.us/images/free-robux-generator-no-survey-or-downloads.pdf
    • https://wandpiraten.de/images/roblox-hack-apk-android.pdf
    • http://www.likto.eu/images/how-to-run-faster-in-roblox-hack-murder-mystery.pdf
    • http://kovroff.com.ua/images/coment-installer-un-cheat-roblox-bee-swarm-simulator-miel-infini.pdf
    • http://schottlandfieber.de/images/robux-gift-card-hack-code.pdf
    • http://per-bittner.de/images/apocalypse-rising-roblox-mac-hack.pdf
    • http://enosiderma.gr/images/hacked-case-clicker-roblox.pdf
    • http://pielab.gr/images/roblox-deathrun-cheats.pdf
    • http://www.fanciullovito.it/images/how-do-you-get-free-robux-on-ipad-mini.pdf
    • http://aiyta.com/images/roblox-thinknoodles-free-fall.pdf
    • https://omhelsjehart.nu/images/free-promo-codes-2021-roblox.pdf
    • http://immo360grad.com/images/free-vip-roblox-account-that-really-work.pdf
    • http://www.reikiusui.it/images/bots-hacker-en-roblox.pdf
    • http://jdlrelocation.com/images/free-scipt-loader-roblox.pdf
    • http://g3galileo.com/images/roblox-cheat-engine-table-download.pdf
    • https://www.porthos.it/images/cheat-roblox-retail-tycoon-2021.pdf
    • http://hardbit.cn/images/dgeler-rocach-earn-free-robux.pdf
    • http://bufbd.org/images/hack-rogue-roblox.pdf
    • https://www.lavigny.ch/images/homestore-free-roblox.pdf
    • http://casabea.de/images/how-to-get-free-robux-real-life.pdf
    • http://jointworkstudio.com/images/robux-free-pw.pdf
    • http://www.gearestauri.it/images/how-to-get-free-robux-online-generator.pdf
    • http://bned-leader.co.uk/images/why-is-it-so-easy-to-hack-roblox.pdf
    • https://farkas.de/images/roblox-free-rade.pdf
    • http://auto-mankel.de/images/hacks-in-horrifick-housing-roblox.pdf
    • http://serviio.org/images/god-mode-dll-hack-roblox.pdf
    • https://treeconsult.de/images/hacks-para-roblox-jailbreak-dinero.pdf
    • https://www.air-shop.cz/images/free-roblox-condo.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00038d30.bin
51c740797a6ebafa77343e0aee8ab5f0379e3ef47af9ae8923abc8ad67204c3a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x38D30 25308 bytes
font_01_sfnt_off0003c7c9.bin
972979c3a46100cf5f8fd289bc6fbd2496ff75fec0e3f6753648c72ec6eba714		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C7C9 2820 bytes
font_02_sfnt_off0003d169.bin
c34124b9670cc522cb86cc93f4007660869d819b7254c53377e05e807605afd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D169 18032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.