Malicious PDF — malware analysis report

Static analysis result for SHA-256 853314105be490c1…

MALICIOUS

PDF

42.7 KB Created: 2021-04-03 16:51:46 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-24
MD5: a643af4a14c7b6ee842926ffb3297f83 SHA-1: 9daa85284823ec4d69ffa3bbea883d49aa7c937c SHA-256: 853314105be490c15343046920298b6e8d6a606cc7595e888da529e7174de1df
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous URLs that promise free Roblox exploits and Robux, indicating a lure for users to download potentially malicious content. The ML classifier and heuristic firings strongly suggest malicious intent, likely to trick users into downloading malware or visiting phishing sites. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9500

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/may-2021-best-free-roblox-exploit PDF link annotation
    • http://learningarabic.co.uk/images/como-hackear-cualquier-cuenta-en-roblox.pdf%0AIn PDF document text
    • http://salantiskis.lt/images/how-to-hack-games-on-roblox-2021.pdf%0AIn PDF document text
    • https://www.osoc.com/images/counter-blox-roblox-offensive-money-hack.pdf%0AIn PDF document text
    • https://ballaratcaravans.com.au/images/how-to-get-free-robux-chamello.pdf%0AIn PDF document text
    • http://echosvoix.ch/images/el-pacmero-hack-roblox-robux.pdf%0AIn PDF document text
    • http://gops.pruszczgdanski.pl/images/free-injector-for-roblox-v3rm.pdf%0AIn PDF document text
    • https://www.wildpark-johannismuehle.de/images/free-robux-cards-2021.pdf%0AIn PDF document text
    • http://svp-steinmaur.ch/images/free-sonic-costume-roblox.pdf%0AIn PDF document text
    • http://www.awakeningtruth.org/images/free-roblox-card.pdf%0AIn PDF document text
    • https://www.wildpark-johannismuehle.de/images/roblox-free-2021-robux.pdf%0AIn PDF document text
    • https://corbo.ru/images/roblox-hack-sahrbite-pastebin.pdf%0AIn PDF document text
    • http://www.inservis.cl/images/free-tix-and-robux-generator-no-survey.pdf%0AIn PDF document text
    • https://gomsa.nl/images/how-do-you-get-free-robux-without-pastibein-raw.pdf%0AIn PDF document text
    • http://svp-steinmaur.ch/images/how-to-have-free-face-in-roblox.pdf%0AIn PDF document text
    • https://www.fhccu.com/images/how-to-install-hack-on-roblox.pdf%0AIn PDF document text
    • https://socialvalue.gr/images/utiliser-cheat-engine-sur-roblox.pdf%0AIn PDF document text
    • http://www.sapaengineering.kz/images/hack-para-tener-robux-pastebin.pdf%0AIn PDF document text
    • https://corbo.ru/images/how-to-get-free-robux-using-html-2021.pdf%0AIn PDF document text
    • http://www.zdravazena.sk/images/http-roblox-com-free-robux.pdf%0AIn PDF document text
    • https://www.hotschool.com.au/images/free-roblox-obby.pdf%0AIn PDF document text
    • http://dos.most.gov.la/images/free-robux-2021-december.pdf%0AIn PDF document text
    • http://learningarabic.co.uk/images/cmd-robux-hack-real.pdf%0AIn PDF document text
    • http://www.lycee-langevin-wallon.com/images/hack-de-roblox-jailbreak-2021.pdf%0AIn PDF document text
    • http://nevesomost.by/images/roblox-hack-apocalypse-rising-2021-download.pdf%0AIn macro / runtime command snippet
    • http://escolaarboc.cat/images/roblox-free-robux-2021-no-hack.pdf%0AIn PDF document text
    • http://gops.pruszczgdanski.pl/images/roblox-booga-booga-free-acounts.pdf%0AIn PDF document text
    • https://www.hotschool.com.au/images/alt-hack-roblox.pdf%0AIn PDF document text
    • http://www.cosver.nl/images/how-to-make-group-in-roblox-for-free.pdf%0AIn PDF document text
    • https://www.udivadlahotel.cz/images/free-2021-robux-code.pdf%0AIn PDF document text
    • http://www.exikom.com.ua/images/why-is-roblox-free.pdf%0AIn PDF document text
    • http://www.lycee-langevin-wallonIn macro / runtime command snippet
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000465a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x465A 26248 bytes
SHA-256: e055e00207bcd7a6e83d9048d77a579ac4676ba3b36a200cc577d609fbe84ad0
font_01_sfnt_off00008239.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8239 18780 bytes
SHA-256: 97b667412c1b68fe1141440e38a5ff06163454a745a7fab8a9d7c4970c82ff01