Malicious PDF — malware analysis report

Static analysis result for SHA-256 673bc9c98296bd8b…

MALICIOUS

PDF

39.7 KB Created: 2021-04-04 02:44:39 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-27
MD5: a911a54d1fd5608b977f50d03ca7c048 SHA-1: 8fbb9b017e9717c67a4447446bbe8ef9bf71a373 SHA-256: 673bc9c98296bd8bf9e6d6fb270cb0c408489c88d3649350d2565d112b284890
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains numerous URLs and text fragments related to 'Roblox hacks' and 'cheats', strongly suggesting a lure for users seeking in-game advantages. The presence of an external URI pointing to a suspicious domain, coupled with ML classifier and heuristic firings for malicious PDF content and command execution, indicates a high likelihood of this document being used to distribute malware. The document body's content and embedded URLs are consistent with a phishing or social engineering attack aimed at tricking users into downloading a malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9500

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/roblox-grand-blox-auto-2-all-cmds-hack PDF link annotation
    • http://www.evaplast.by/images/robux-hack-2021-nooo-verification-or-survey-no-lie.pdf%0AIn PDF document text
    • http://nosocomium.rv.ua/images/hack-boku-no-hero-academia-roblox.pdf%0AIn PDF document text
    • https://estalagemmonteverde.com.br/images/cheats-for-roblox-vehicle-simulator.pdf%0AIn PDF document text
    • https://www.lomrad.go.th/images/robux-hack-2021-october.pdf%0AIn PDF document text
    • http://svp-steinmaur.ch/images/roblox-accounts-for-free-2021.pdf%0AIn PDF document text
    • https://www.air-shop.cz/images/give-your-self-money-in-games-roblox-hack.pdf%0AIn PDF document text
    • http://escolaarboc.cat/images/roblox-how-to-getting-the-grade-youtubers-for-free.pdf%0AIn PDF document text
    • http://www.gadanie.lv/images/como-dibujar-en-free-draw-roblox.pdf%0AIn PDF document text
    • https://sitam.co.in/images/how-to-hack-roblox-apocalypse-rising-2021.pdf%0AIn PDF document text
    • http://legs11.co.za/images/how-to-hack-roblox-cheat-engine-67.pdf%0AIn PDF document text
    • https://www.mrsz.ir/images/how-do-you-hack-your-friend-on-roblox.pdf%0AIn PDF document text
    • http://www.rezbb.sk/images/free-robux-really-worksnottttttt-youtube.pdf%0AIn PDF document text
    • http://echosvoix.ch/images/how-to-hack-levels-in-roblox-project-pokemon.pdf%0AIn PDF document text
    • http://www.marambio.com.ar/images/rblx-gg-free-robux-without-human-verification.pdf%0AIn PDF document text
    • https://pemadamapi.net/images/infinity-rpg-hack-roblox.pdf%0AIn PDF document text
    • http://www.cosver.nl/images/robux-promode-hack.pdf%0AIn PDF document text
    • http://kruiz21.ru/images/free-robux-no-human-verification-2021-or-survey-or-offers.pdf%0AIn PDF document text
    • https://www.eglihotel.gr/images/how-to-get-free-robux-online-no-survey.pdf%0AIn PDF document text
    • https://billiekawende.com/images/how-to-get-free-robux-on-pc-no-human-verification.pdf%0AIn PDF document text
    • https://www.mrsz.ir/images/free-animal-tail-roblox.pdf%0AIn PDF document text
    • http://www.pcclawyers.com.au/images/hacked-roblox-song-id.pdf%0AIn PDF document text
    • http://www.boic.nl/images/hack-to-get-20210-robux.pdf%0AIn PDF document text
    • http://cosver.eu/images/god-hack-on-roblox-with-check-cashed.pdf%0AIn PDF document text
    • http://sscclc.edu.ec/images/how-to-get-free-obc-on-roblox-2021.pdf%0AIn PDF document text
    • http://www.fluidtech.hu/images/use-the-rarest-item-on-roblox-for-free.pdf%0AIn PDF document text
    • http://dos.most.gov.la/images/how-to-get-free-clothes-on-roblox-on-iphone.pdf%0AIn PDF document text
    • http://www.marambio.com.ar/images/roblox-robux-free-codes-2021.pdf%0AIn PDF document text
    • https://www.sitiwebjoomla.it/images/become-roblox-admin-free.pdf%0AIn PDF document text
    • https://www.romedia.gr/images/roblox-phantom-forces-cheat-engine.pdf%0AIn PDF document text
    • http://altc.de/images/roblox-free-downlow.pdf%0AIn PDF document text
    • http://gaminggenerator.org/app/431946152/roblox-grPDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004497.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4497 22384 bytes
SHA-256: 4cd073ac474922baac57330204511865a3bf67d06b9efff5232a7ad94fa119b7
font_01_sfnt_off00007698.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7698 18584 bytes
SHA-256: 830276b0143d261a40e5b94eadbe0706062c5f6e1b9c90fcce7f4a59e13b0e44