Malicious PDF — malware analysis report

Static analysis result for SHA-256 706fe30a60a61b5f…

MALICIOUS

PDF

232.5 KB Created: 2021-04-04 21:43:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-14
MD5: cdf3eb38531cf59450ea759b8c07507a SHA-1: 88a4ed524c814e132865bb013514a78f0cc8ab81 SHA-256: 706fe30a60a61b5f851bfe04c4110758dbe8b82e50b3951bd69b0dff051c9890
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a signature indicating it is a phishing attempt related to Roblox. The embedded URI points to a URL that also relates to obtaining free items in Roblox, reinforcing the phishing lure. Although no scripts were explicitly extracted, the PDF structure and the nature of the URL suggest an attempt to trick users into visiting a malicious site.

Machine Learning

  • Nyx PDF Classifier clean score 0.2041

Heuristics 3

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/how-to-get-free-things-in-roblox-catalog PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0003564e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3564E 22088 bytes
SHA-256: e33b1bacd0a4cdd412d535cc76a1fe5a3fa1c322c2efd0414833dfd1e6e11f03

Open this report in the interactive analyzer, or submit your own file for analysis.