Malicious PDF — malware analysis report

Static analysis result for SHA-256 9af4f932aad26a64…

MALICIOUS

PDF

61.2 KB Created: 2021-04-05 20:39:03 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-02
MD5: 1940fed177c7be3e1cfa425663f4f17a SHA-1: 3e3d1b91fecf0bfdca6b5265a3a7fcfd33140032 SHA-256: 9af4f932aad26a64851eef9b0a19ce3f0ff4740ad10f23c4a8e958c053a1b1db
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File T1553.005 Antivirus Escape

This PDF document was flagged as malicious by an ML classifier. It uses a clipboard-command (paste-and-run) lure and a security-bypass lure. The file presents a deceptive download button. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6193

Heuristics 5

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/how-to-get-50-robux-for-free-2021 PDF link annotation
    • http://apkmaykop.ru/images/roblox-hack-with-no-human-verification.pdfIn PDF document text
    • http://kcr-rochlitz.de/images/how-to-hack-someones-account-on-roblox-2021.pdfIn PDF document text
    • http://jobsy.com.sg/images/is-roblox-on-xbox-one-free.pdfIn PDF document text
    • http://bodyguardsecurityservices.com.au/images/free-roblox-party-printables.pdfIn PDF document text
    • https://www.u-pin-it.com/images/roblox-robot-inc-cheat.pdfIn PDF document text
    • http://bau-lk.de/images/oprewards-hack-robux.pdfIn PDF document text
    • http://domaizdereva24.ru/images/roblox-dragon-ball-rage-cheat.pdfIn PDF document text
    • http://acktivities.com/images/roblox-hack-robux-and-tix-no-download.pdfIn PDF document text
    • http://boliviagasenergia.com/images/how-to-get-free-robux-in-roblox-pc-2021.pdfIn PDF document text
    • http://salantiskis.lt/images/best-free-roblox-screen-recorder.pdfIn PDF document text
    • http://ff-obertraun.at/images/how-to-get-free-robux-on-ipad-no-password.pdfIn PDF document text
    • http://lanoblaie.fr/images/free-robux-quick-and-easy-no-hastle.pdfIn PDF document text
    • https://www.lomrad.go.th/images/free-font-that-looks-like-roblox.pdfIn PDF document text
    • https://www.utalii.ac.ke/images/spiderman-free-roblox-stuf.pdfIn PDF document text
    • http://safari-crimea.com/images/hacks-for-mm2-in-roblox.pdfIn PDF document text
    • http://avocatultau.eu/images/is-roblox-on-nintendo-switch-free.pdfIn PDF document text
    • http://lichtdrukkerijwijchen.nl/images/bloxburg-free-play-roblox.pdfIn PDF document text
    • http://santeh-40.ru/images/kazuin-how-to-hack-in-roblox.pdfIn PDF document text
    • http://chartsmart.com.au/images/uno-reverse-card-roblox-free.pdfIn PDF document text
    • https://uofk.edu/images/websites-which-gives-you-free-robux-no-human-verication.pdfIn PDF document text
    • http://abqwinair.com/images/is-hacking-banned-in-roblox.pdfIn PDF document text
    • http://www.kalaaliaraq.dk/images/roblox-hack-btool-2021-august.pdfIn PDF document text
    • http://jugendfeuerwehr-scheinfeld.de/images/roblox-free-robux-give-away-lve.pdfIn PDF document text
    • https://www.iadh.bi/images/mobilehacks4u-free-robux.pdfIn PDF document text
    • https://www.lomrad.go.th/images/roblox-money-hack-vehicle-simulator.pdfIn PDF document text
    • http://www.beged.at/images/roblox-fly-hack-2021.pdfIn PDF document text
    • https://www.ncscolour.no/images/copy-and-paste-to-terminal-robux-hack.pdfIn PDF document text
    • http://hondenspecialist-engelien.nl/images/how-to-hack-for-more-cash-in-roblox-tycoon-games.pdfIn PDF document text
    • http://www.rezbb.sk/images/roblox-free-working-gift-card-2021.pdfIn PDF document text
    • https://www.cosmosdawn.net/images/roblox-heists-hack.pdfIn PDF document text
    • http://www.elis-strechy.cz/images/elektronomia-free-roblox.pdfIn PDF document text
    • http://telecomworld.pl/images/free-robux-hack-downloader.pdfIn PDF document text
    • http://lillysonthelake.com/images/how-to-get-hacks-for-jailbreak-in-roblox.pdfIn PDF document text
    • http://www.ntc.edu.za/images/roblox-hacker-tycoon-towngameplay.pdfIn PDF document text
    • https://www.cosmosdawn.net/images/tokyo-ghoul-project-killzone-roblox-cheat.pdfIn PDF document text
    • http://goldwing-shop.ru/images/como-hackear-robux-en-roblox-facil-y-rapido.pdfIn PDF document text
    • http://laboraltoledo.com/images/cheat-engine-2021-roblox.pdfIn PDF document text
    • http://engelum.com/images/roblox-prison-life-hack-download-2021.pdfIn PDF document text
    • https://www.knxuk.org/images/adventure-up-cheats-roblox.pdfIn PDF document text
    • http://colegioluisamigo.cl/images/undertale-survive-the-monster-roblox-hack.pdfIn PDF document text
    • http://evp-sanorlenok.ru/images/rblx-city-free-robux.pdfIn PDF document text
    • https://verdensbarn.no/images/free-robux-redeem-codes-2021.pdfIn PDF document text
    • http://panaceafamilymedicine.com/images/hack-stats-on-roblox-game.pdfIn PDF document text
    • http://baah.ca/images/roblox-cheat-engine-hack-2021.pdfIn PDF document text
    • http://www.anies.eu/images/minecraft-roblox-hack.pdfIn PDF document text
    • http://w-i-r.de/images/roblox-tycoon-hack-2021.pdfIn PDF document text
    • http://korporacjaroma.pl/images/coolest-free-items-on-roblox.pdfIn PDF document text
    • http://goldwing-shop.ru/images/hacks-para-roblox-2021-booga-booga.pdfIn PDF document text
    • https://fkg.usu.ac.id/images/how-2-get-free-robux-working-2021.pdfIn PDF document text
    +17 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000845d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x845D 27200 bytes
SHA-256: 2f5a15f4bf0c4c241885b9a730ca9e4d69398b45c019e2a4632a348a0baf7378
font_01_sfnt_off0000c261.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC261 2832 bytes
SHA-256: 77ae1c4cffa647a8fd533dfa4102e94364989f9e80b9cd131876e9d1005899a2
font_02_sfnt_off0000cc11.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCC11 18052 bytes
SHA-256: c3b335ab64843d33ee0dd2eaf0d5bf4b7a83ef7049ca4a70e7b4d614ce97a119