Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a4cf5bf43c17d88…

MALICIOUS

PDF

244.8 KB Created: 2021-04-04 11:07:05 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: b690768e29a64fb30ba975b8e4e3b785 SHA-1: 017ff189a567968ac4cc2683606402adbbf4a489 SHA-256: 6a4cf5bf43c17d88cb230968dfb2923af1028d61dfc8ee0660ade659f274c9c2
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Pdf.Phishing.Roblox062100-9873116-0, indicating a phishing attempt related to Roblox cheats. The document body, though heavily obfuscated, contains references to 'Dragon Ball Rage Roblox Cheat Engine Hack' and the authoring application 'wkhtmltopdf', suggesting it's a crafted lure. The presence of numerous URLs pointing to sites offering 'free Robux' or 'hacks' further supports the phishing and social engineering attack pattern.

Machine Learning

  • Nyx PDF Classifier clean score 0.1227

Heuristics 4

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/dragon-ball-rage-roblox-cheat-engine-hack
    • http://kancelaria-legnica.eu/images/how-to-get-free-robux-on-roblox-no-builders-club.pdf
    • https://asesoriamss.com/images/free-robux-generator-for-xbox-one-no-verification.pdf
    • http://elllanorestaurants.com/images/nuevos-hacks-de-roblox-2021.pdf
    • http://leigraphics.com/images/tower-of-hell-roblox-hack.pdf
    • http://modlingua.com/images/fencing-reach-hack-roblox.pdf
    • https://www.stkdb.cz/images/how-to-hack-roblox-and-get-meep-city-coins-fast.pdf
    • https://www.sitiwebjoomla.it/images/get-free-robux-on-android.pdf
    • http://ernstgloves.co.il/images/roblox-hack-2021-no-human-verification.pdf
    • http://yogaschooldecypres.be/images/roblox-toy-codes-free-2021-jan.pdf
    • http://www.apocalissedigesucristo.com/images/hack-fhantom-forces-roblox.pdf
    • https://www.mvp.co.nz/images/roblox-robux-codes-hack-download-pc.pdf
    • https://www.cosmosdawn.net/images/how-to-get-free-tix-on-roblox-no-hack.pdf
    • http://tecnodue.com/images/how-to-hack-a-roblox-server-and-save-it.pdf
    • http://belagrogen.by/images/how-to-get-free-robux-and-tix-using-inspect-element.pdf
    • http://bibliotheque-perrigny-les-dijon.fr/images/http-robux-free-in.pdf
    • https://www.ausecus.com/images/roblox-jailbreak-hack-pay.pdf
    • http://pourvosvacances.com/images/roblox-admin-hack-pastebin.pdf
    • https://www.saisystem.it/images/is-there-a-free-way-to-change-roblox-name.pdf
    • http://imp.lg.ua/images/mad-fucker-roblox-hack.pdf
    • http://arch-centr.ru/images/startingsploit-roblox-hack-download.pdf
    • https://www.ghknights.org/images/how-to-get-money-on-roblox-with-cheat-engine-63.pdf
    • http://techmobil.pl/images/robux-free-gift-card-org-generator.pdf
    • http://dennemaat.nl/images/roblox-yin-vs-yang-cheat.pdf
    • http://solidkom.ch/images/roblox-how-to-hack-phantom-forces.pdf
    • http://baah.ca/images/roblox-vampire-hunters-2-cheats.pdf
    • http://interpretation-dessins-enfants.net/images/free-roblox-meep-city.pdf
    • http://nevesomost.by/images/rbxfree-com-free-robux.pdf
    • http://acktivities.com/images/free-skin-in-roblox-2021.pdf
    • http://www.occquimica.com.br/images/free-robux-and-limiteds-generator.pdf
    • http://www.gadanie.lv/images/ways-to-earn-free-robux.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00037ea2.bin
22492e318a225390d0f01d3a31701a95e922e704582468a7c69296adfa488a2c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x37EA2 19952 bytes
font_01_sfnt_off0003a96a.bin
9f9873079e73cc448288ee38a57df1adb52f76eb4c294246e1b2dedf10dc9055		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A96A 18564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.