Malicious PDF — malware analysis report

Static analysis result for SHA-256 96075f47c845ad6d…

MALICIOUS

PDF

240.0 KB Created: 2021-04-05 02:45:06 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: b38252a3eb6e8c3c1f32283025189c01 SHA-1: 0812336cd7e8396cb5ed09f622666fa13000610e SHA-256: 96075f47c845ad6d84a3d142a6b0d84d6e92e57a53bf37a5357e1f8404393f9f
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file is identified as malicious by a ClamAV signature and an ML classifier, specifically targeting Roblox-related hacks. The embedded URL points to a site offering a 'Roblox Mml Admin Hack Script', strongly suggesting a phishing or scam attempt to trick users into downloading potentially harmful content. The document body, though heavily obfuscated, contains references to 'Roblox Mml Admin Hack Script' and 'wkhtmltopdf', indicating its likely purpose.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5773

Heuristics 4

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/roblox-mml-admin-hack-script
    • http://ivalor.fr/images/buy-old-accounts-for-roblox-for-free.pdf
    • https://gabrieliassociati.com/images/how-to-hack-any-account-on-roblox-2021.pdf
    • http://wcasrock.org/images/esp-xray-roblox-hacks.pdf
    • https://www.udivadlahotel.cz/images/how-to-get-free-robux-with-inspect-console.pdf
    • http://berntfoto.dk/images/rbxfree-com-free-robux-2021.pdf
    • http://www.arredifunebri.com/images/how-to-hack-roblox-prison-life-mobile.pdf
    • http://lanoblaie.fr/images/how-to-hack-your-health-on-roblox.pdf
    • https://vtvvaals.nl/images/how-to-hack-roblox-top-model-2021.pdf
    • http://kontaktadig.se/images/get-robux-free-no-survey-waiting.pdf
    • https://sanjoseelectricians.net/images/how-to-turn-in-to-super-sayin-roblox-no-hacks.pdf
    • http://selectionspdf.fr/images/hack-roblox-workin-the-fuck.pdf
    • https://www.cnte.org.br/images/roblox-cheat-engine-god.pdf
    • http://businessmart.ro/images/roblox-free-toycodes-2021.pdf
    • http://ilcommercialista.info/images/roblox-800-free-robux.pdf
    • http://mostowicz.pl/images/free-gift-card-pw-robux.pdf
    • http://energotestcontrol.ru/images/free-robux-description.pdf
    • http://citycare.pt/images/how-to-hack-merder-mistery-roblox.pdf
    • http://safetin.ru/images/five-nights-at-freddys-2-free-roblox.pdf
    • http://www.sitiamministrabili.it/images/roblox-com-free-for-mobile.pdf
    • http://www.arredifunebri.com/images/roblox-lumber-tycoon-2-script-hack.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000369a6.bin
8a0a1965177e504e264b00dc4f883e0237d983b88d62ece227703dbb4a156d56		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x369A6 21740 bytes
font_01_sfnt_off00039911.bin
07af69f96dce83a4d58e39f43357f5eb3834cc76e5a767c73197f6063375e380		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39911 18620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.