Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e8167fd6e227ed6…

MALICIOUS

PDF

56.3 KB Created: 2021-04-06 13:21:58 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 9190e2ca5d173a87bef6e9b51062f86c SHA-1: 5458c8cc8236dd76d8d1d15d5155a428d1e5567a SHA-256: 8e8167fd6e227ed6080682490a45b25e99f551db1035c2d839150232369e1a8f
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by an ML classifier. The file routes users through malicious redirector infrastructure and presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6397

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector high PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://enigmagenerator.com/app/431946152/roblox-game-hack PDF link annotation
    • http://kita-sunshine.de/images/hack-cheats-for-roblox.pdfIn PDF document text
    • http://www.mikramarine.gr/images/free-robux-no-human-verification-or-survey-2021-safe-website.pdfIn PDF document text
    • http://www.eurologistiki.gr/images/how-to-install-wearedevs-hack-roblox.pdfIn PDF document text
    • http://zercalo.org/images/project-alpha-5-hack-roblox.pdfIn PDF document text
    • http://www.mosaikshop.at/images/free-hack-roblox-download.pdfIn PDF document text
    • http://pa-tanjungselor.go.id/images/free-robux-very-easy.pdfIn PDF document text
    • http://wiesbadener-marktplatz.de/images/hack-initiate-unlimited-free-robux-40m.pdfIn PDF document text
    • https://www.osoc.com/images/roblox-hack-hack-de-robux-2021.pdfIn PDF document text
    • http://goosesscuba.com/images/free-roblox-script-exector-september-2021.pdfIn PDF document text
    • http://bassacctaxservices.com/images/guuud-info-free-robux.pdfIn PDF document text
    • http://gamixpaliwa.pl/images/roblox-booga-booga-hack-download-2021.pdfIn PDF document text
    • http://onlinemusicsolutions.com.au/images/roblox-mad-city-hack-download.pdfIn PDF document text
    • http://sdservicesrl.it/images/how-to-get-free-robux-javascript.pdfIn PDF document text
    • https://sectorpravdy.com/images/free-robux-every-month.pdfIn PDF document text
    • http://pdapanache.com/images/how-to-hack-any-roblox-account-including-admins.pdfIn PDF document text
    • http://www.sanjosedeminas.gob.ec/images/free-roblox-accounts-with-life-time-obc.pdfIn PDF document text
    • http://nosocomium.rv.ua/images/roblox-codes-to-get-free-items.pdfIn PDF document text
    • http://www.jureclomas.com.ar/images/roblox-cheat-lua-codes.pdfIn PDF document text
    • http://energotestcontrol.ru/images/roblox-games-for-free-no-download.pdfIn PDF document text
    • https://waterpark.by:443/images/how-to-get-the-guest-body-for-free-in-roblox.pdfIn PDF document text
    • http://centuriatus.com/images/free-roblox-card-code-generator-2021.pdfIn PDF document text
    • http://shiny-nn.ru/images/dis666-roblox-hack.pdfIn PDF document text
    • http://pacatuamigo.com/images/roblox-tycoon-games-free.pdfIn PDF document text
    • http://the-specials.ch/images/free-robux-hack-2021-no-human-verification.pdfIn PDF document text
    • https://www.u-pin-it.com/images/roblox-mobile-how-to-get-free-robux.pdfIn PDF document text
    • http://ltmphoto.com/images/roblox-hacken-und-dafr-free-robux-bekommen.pdfIn PDF document text
    • http://tc-kulmbach.de/images/roblox-hack-no-human-verification-2021.pdfIn PDF document text
    • http://ilccanada.org/images/roblox-hacks-for-bloxburg.pdfIn PDF document text
    • http://www.marambio.com.ar/images/free-robux-real-2021-no-human-verification.pdfIn PDF document text
    • http://nevesomost.by/images/como-convertirse-en-hacker-en-roblox.pdfIn PDF document text
    • http://ivalor.fr/images/how-to-hack-roblox-pepol-haeds-of.pdfIn PDF document text
    • http://www.lycee-langevin-wallon.com/images/how-to-get-free-robux-legitimately.pdfIn PDF document text
    • http://rushxpress.de/images/free-robux-on-ipad-no-verification.pdfIn PDF document text
    • http://pesok-rk.ru/images/hacked-pokemon-games-roblox.pdfIn PDF document text
    • http://unilin21.ru/images/hack-download-roblox-for-free.pdfIn PDF document text
    • http://medicalafrica.net/images/horror-elevator-roblox-mega-vip-free-2021.pdfIn PDF document text
    • http://www.exikom.com.ua/images/free-roblox-robux-generator-2021-no-human-verification-and-survey.pdfIn PDF document text
    • http://prodent.com.ua/images/how-do-i-get-free-hair-on-roblox.pdfIn PDF document text
    • https://www.solucionesdigit.com/images/roblox-cheat-engine-table-and-bypass.pdfIn PDF document text
    • http://infoagronomia.com.ar/images/download-roblox-windows-7-free.pdfIn PDF document text
    • http://www.art-concept.gr/images/how-to-hack-a-roblox-account-still-active.pdfIn PDF document text
    • http://www.it-ro.it/images/download-hacks-for-roblox-cheating-in-assasin.pdfIn PDF document text
    • http://huebner-baustoffe.de/images/www-hack-clients-robloxde.pdfIn PDF document text
    • http://energotestcontrol.ru/images/free-robux-money-adder-apk.pdfIn PDF document text
    • http://glll.de/images/when-will-welcome-to-bloxburg-be-free-on-roblox.pdfIn PDF document text
    • http://glaubensfragen.org/images/free-expert-scripters-roblox.pdfIn PDF document text
    • http://abletrustcare.com/images/como-tener-hacks-en-el-wild-revolvers-roblox.pdfIn PDF document text
    • http://www.fanciullovito.it/images/free-robux-ez-points-gg.pdfIn PDF document text
    • http://echosvoix.ch/images/free-robux-no-test-or-dowmload.pdfIn PDF document text
    +21 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000731f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x731F 26808 bytes
SHA-256: e0f01f8aa094bd2236335902b71a73e1970a9daf14a5e3f16fb8ca141f0af7ed
font_01_sfnt_off0000af5e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAF5E 2832 bytes
SHA-256: 77ae1c4cffa647a8fd533dfa4102e94364989f9e80b9cd131876e9d1005899a2
font_02_sfnt_off0000b90f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xB90F 17952 bytes
SHA-256: 14ee4fb6b986872817bda7de4cb2b9a3e7ab2ca7859077ccfa0afa83428bb03d