Malicious PDF — malware analysis report

Static analysis result for SHA-256 990e78d641ac1039…

MALICIOUS

PDF

57.5 KB Created: 2021-04-05 23:24:11 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-18
MD5: 6bff1aa84975c69e4ad7302a1eab7e5b SHA-1: ce3067de1c182212594fa100511e9f69a34387f7 SHA-256: 990e78d641ac103976eca4771a18ddfc790392072497d68a3bbca73ee86927a1
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.007 JavaScript

The PDF document employs social engineering tactics by impersonating the Chase brand and luring the user with a "free audio uploader for Roblox" offer. It directs the user to a suspicious URL, which is a common method for distributing malware or conducting credential phishing. The ML classifier also flagged this PDF as malicious, supporting the assessment of a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7795

Heuristics 5

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: http://gaminggenerator.org/app/431946152/free-audio-uploader-for-roblox.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/free-audio-uploader-for-roblox PDF link annotation
    • http://bilhetim.com.br/images/javascript-hack-roblox.pdfIn PDF document text
    • https://laconce.com/images/jump-hack-roblox-cheat-engine-2021.pdfIn PDF document text
    • http://www.kalaaliaraq.dk/images/codes-to-get-free-robux-may.pdfIn PDF document text
    • http://www.mjclautrec.fr/images/double-jump-roblox-hack.pdfIn PDF document text
    • http://standart-lab.ru/images/roblox-legendary-football-speed-hack.pdfIn PDF document text
    • https://cdu-lengerich.de/images/how-to-hack-gear-in-the-roblox-catalog.pdfIn PDF document text
    • https://www.fenews.co.uk/images/how-to-get-a-free-gear-in-roblox.pdfIn PDF document text
    • http://texnes-plus.gr/images/hack-roblox-android.pdfIn PDF document text
    • https://sitam.co.in/images/jailbreak-roblox-cheat-codes.pdfIn PDF document text
    • https://wandersuechtig.de/images/hack-roblox-account-kali-linux.pdfIn PDF document text
    • http://firesafetyservices.biz/images/free-sonic-costume-roblox.pdfIn PDF document text
    • https://bgescc.com/images/roblox-background-2021-its-free.pdfIn PDF document text
    • http://goosesscuba.com/images/how-to-do-a-roblox-hack.pdfIn PDF document text
    • http://standart-lab.ru/images/free-roblox-generator-no-human-verification.pdfIn PDF document text
    • http://alexanderautos.co/images/hacks-for-games-roblox.pdfIn PDF document text
    • https://ghpa.ru/images/roblox-free-generator-no-verification.pdfIn PDF document text
    • https://www.dierenartsberghman.be/images/free-roblox-hbe.pdfIn PDF document text
    • https://www.gvandenakker.nl/images/how-to-hack-in-roblox-2021.pdfIn PDF document text
    • http://finalstand.org/images/free-roblox-gift-card-codes-2021-generator.pdfIn PDF document text
    • http://ims-77.fr/images/roblox-mobile-cheats.pdfIn PDF document text
    • http://stitchingart.com/images/roblox-free-gui-op.pdfIn PDF document text
    • http://nikabio.com/images/how-do-you-get-free-robux-on-roblox-ipad.pdfIn PDF document text
    • http://optsuvenir.by/images/roblox-online-robux-hack.pdfIn PDF document text
    • http://geometraperiotto.it/images/are-the-free-robux-fake.pdfIn PDF document text
    • http://www.cosver.nl/images/free-robux-obby-real.pdfIn PDF document text
    • http://sbm-nn.ru/images/hack-roblox-cheat-engine-64.pdfIn PDF document text
    • http://berntfoto.dk/images/free-download-roblox-for-kids-on-laptop.pdfIn PDF document text
    • http://www.conservatoriolecce.it/images/roblox-yin-vs-yang-ninja-assassin-hack.pdfIn PDF document text
    • http://aeroclub-kaernten.at/images/hacker-roblox-portable.pdfIn PDF document text
    • http://riccardodurso.it/images/shotgun-willy-cheat-codes-roblox-id.pdfIn PDF document text
    • http://karolinaherrera.com/images/roblox-my-boyfriend-cheated-on-me.pdfIn PDF document text
    • http://kermas.eu/images/roblox-free-avtar-makers.pdfIn PDF document text
    • https://www.saisystem.it/images/beyond-roblox-hack.pdfIn PDF document text
    • http://ozonizarint.com/images/is-there-any-way-to-get-robux-for-free.pdfIn PDF document text
    • http://yogaschooldecypres.be/images/roblox-hand-hack.pdfIn PDF document text
    • http://www.malonmalon.com.ar/images/how-do-you-get-free-robux-with-cheat-engine.pdfIn PDF document text
    • https://www.mvp.co.nz/images/mapa-de-free-fire-roblox.pdfIn PDF document text
    • http://iluvlocalplaces.com/images/how-to-hack-robux-in-1-min.pdfIn PDF document text
    • https://www.air-shop.cz/images/free-roblox-codes-for-robux-2021.pdfIn PDF document text
    • http://elllanorestaurants.com/images/lazyblox-com-free-robux-generator.pdfIn PDF document text
    • http://schottlandfieber.de/images/free-robux-reedem.pdfIn PDF document text
    • https://www.academiaanticorrupcion.org/images/hack-nuevo-para-roblox-2021-editar-servidor.pdfIn PDF document text
    • http://bassacctaxservices.com/images/free-anime-roblox-clothes.pdfIn PDF document text
    • http://legs11.co.za/images/how-to-get-free-roblox-robux-on-roblox.pdfIn PDF document text
    • http://cristalysoptic.com/images/hack-t-shirt-roblox.pdfIn PDF document text
    • http://techmobil.pl/images/how-to-get-free-shirts-on-roblox-2021-without-bc.pdfIn PDF document text
    • http://ecoleduchat-grenoble.fr/images/robux-hack-no-verification-or-survey-or-id.pdfIn PDF document text
    • https://lesegais.ru/images/roblox-games-with-free-radio.pdfIn PDF document text
    • http://itbits.ie/images/free-robux-rixty-2021.pdfIn PDF document text
    +10 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00008172.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8172 26792 bytes
SHA-256: 6ecd58e2d2a07a2fddfa7abb2e87f99651be20efeed48981b949d6e64d8547e6
font_01_sfnt_off0000bdcc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBDCC 18204 bytes
SHA-256: a73f965175d17aad846c858e5be8b1d7b2a7f20f19abc6cd3fe332cf5fa2642b