Malicious PDF — malware analysis report

Static analysis result for SHA-256 8cc946587ec92bd2…

MALICIOUS

PDF

239.3 KB Created: 2021-04-04 21:17:14 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 37b7d48521b04c759c85d969ca3fc1ce SHA-1: e68f83e5000a317957ae91d8915c04ce35e098d7 SHA-256: 8cc946587ec92bd2e3e2d18807025b63b0ddea7448a1e08b4dc739231981cf03
112 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV with a specific signature indicating phishing related to Roblox. Heuristics indicate the presence of a fake CAPTCHA or human verification prompt, a common lure to trick users into downloading or executing further malicious content. The embedded URL points to a site offering a 'Roblox Hack Robux 2021', reinforcing the phishing and social engineering aspect of the attack. While no scripts were explicitly extracted, the PDF structure and the nature of the lure suggest potential for embedded JavaScript or exploitation of PDF vulnerabilities to achieve execution.

Machine Learning

  • Nyx PDF Classifier clean score 0.0190

Heuristics 5

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/roblox-hack-robux-2021-no-human-verification PDF link annotation
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00035ea6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35EA6 24188 bytes
SHA-256: 62c356a0d6011ca8b85a38b8e37305532d9a9b23f3ffd30cf7fc257fa759b238
font_01_sfnt_off000395ec.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x395EC 19036 bytes
SHA-256: 559145fe9ee2fcec247a7469307f4e55fb7790b96d4af3af9b42919e69884bd8

Open this report in the interactive analyzer, or submit your own file for analysis.