Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fcef891ab1e8f54…

MALICIOUS

PDF

246.7 KB Created: 2021-04-05 06:24:20 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 3b078f8e975c0d84f6eb69b7307be6cf SHA-1: dbdd671f0a8342df953cf6ce6db1f0952298b71c SHA-256: 9fcef891ab1e8f5476da0bac0d9f6d388ac35bcaffb1ec6bdc68928ed633c1c6
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is identified as malicious by ClamAV with the signature Pdf.Phishing.Roblox062100-9873116-0, indicating a phishing attempt related to Roblox. The embedded URL points to a site offering a 'Roblox Restaurant Tycoon Cheat Engine', reinforcing the phishing lure. While no scripts were explicitly extracted, the PDF structure and embedded URI suggest an attempt to redirect the user to a malicious site for a purported cheat engine, likely as a lure for credential theft or malware download.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2693

Heuristics 4

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/roblox-restaurant-tycoon-cheat-engine
    • https://shimony.net/images/how-to-cheat-in-roblox-pet-simulator-2021.pdf
    • http://adues.org/images/free-helmets-roblox.pdf
    • http://cekmekoygundem.com/images/roblox-health-hack-2021.pdf
    • http://energotestcontrol.ru/images/free-vip-server-roblox-any-game.pdf
    • http://cdescolapios.org/images/visite-roblox-robux-free.pdf
    • http://huananhai.net/images/roblox-galaxy-arcade-cheats.pdf
    • https://roberto-gac.com/images/roblox-fly-hack-unpatchable.pdf
    • https://www.ferienhausdirektkroatien.de/images/hacker-un-compte-roblox.pdf
    • http://hotel-buta.by/images/roblox-html-hack.pdf
    • http://fairwaygolftravel.co.uk/images/roblox-drama-class-cheat-sheet.pdf
    • http://5346000.com/images/how-do-u-get-free-robux-on-ipad.pdf
    • http://yogaschooldecypres.be/images/how-to-get-robux-free-no-hack.pdf
    • http://s-punkt-objects.de/images/what-to-do-if-your-account-is-hacked-on-roblox.pdf
    • https://hassel-event.de/images/roblox-hacks-for-booga-booga.pdf
    • https://gaj.rs/images/roblox-promos-hack-pastebin.pdf
    • http://ohsawamacrobiotics.com/images/admin-roblox-hack-2021.pdf
    • http://gods-own.org/images/roblox-bc-accounts-for-free.pdf
    • http://kim-kinder-im-mittelpunkt.de/images/youtube-how-to-hack-roblox-accounts.pdf
    • http://interpretation-dessins-enfants.net/images/q-clash-roblox-free.pdf
    • http://grand-ural74.ru/images/when-is-rovive-on-roblox-gonna-be-free.pdf
    • http://en.wikipedia.org/wiki/MIT_License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000378c2.bin
800147b6a7656195ac53bafcc9e5554c1d5a124b4f352d3bcffc84d7ad295420		 pdf-font-stream PDF embedded font (sfnt) at offset 0x378C2 25456 bytes
font_01_sfnt_off0003b2cf.bin
b146f9502769826318e4ef64dcb1b509c8ecddfeebb04397a26513bfac59c82c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B2CF 18736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.