Malicious PDF — malware analysis report

Static analysis result for SHA-256 b09029db70589041…

MALICIOUS

PDF

57.0 KB Created: 2021-04-05 23:20:16 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29
MD5: 8832aa42ea805d05c2dd5767fc61562d SHA-1: 0e280084e2eaac0ff3f3f1b911cfe9455dfa11c5 SHA-256: b09029db705890419669482ef4fff115c72c1f8f7be399108fd1dad991776e06
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The document impersonates PayPal and uses a lure of a "Roblox Tycoon Cash Hack" to entice users to click on malicious links. The presence of a security bypass instruction and the ML classifier flagging the PDF indicate malicious intent. The embedded URLs are likely used to deliver a second-stage payload or facilitate credential phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7795

Heuristics 5

  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: http://gaminggenerator.org/app/431946152/roblox-tycoon-cash-hack.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/roblox-tycoon-cash-hack PDF link annotation
    • http://adues.org/images/why-is-robux-not-free.pdfIn PDF document text
    • https://www.stoehr-sauer.de/images/free-robux-no-human-verification-not-clickbait.pdfIn PDF document text
    • http://infoagronomia.com.ar/images/hack-roblox-steve-one-piece-roblox-auto-farm-chest.pdfIn PDF document text
    • http://www.agri-tech.com.au/images/free-roblox-items-codes-2021.pdfIn PDF document text
    • https://pa-waingapu.go.id/images/bhs-hack-roblox.pdfIn PDF document text
    • http://www.inservis.cl/images/roblox-blueberry-hack.pdfIn PDF document text
    • http://posterprintshop.nl/images/a-free-robux-gift-card-number.pdfIn PDF document text
    • https://asesoriamss.com/images/hack-roblox-fr.pdfIn PDF document text
    • http://www.visiblefilm.com/images/roblox-pokemon-brick-bronze-free-download.pdfIn PDF document text
    • http://www.fanciullovito.it/images/how-to-report-a-roblox-hacker-that-was-banned.pdfIn PDF document text
    • https://www.gymun.cz/images/comment-hacker-dans-roblox-pc.pdfIn PDF document text
    • http://somvisio.es/images/how-to-hack-unicorn-in-roblox.pdfIn PDF document text
    • https://www.udivadlahotel.cz/images/how-to-get-free-catalog-items-on-roblox-vortexx.pdfIn PDF document text
    • http://ff-obertraun.at/images/always-day-hack-for-roblox.pdfIn PDF document text
    • http://www.actae.gr/images/free-level-7-executor-roblox.pdfIn PDF document text
    • http://aistplus.ru/images/como-ser-hacker-en-roblox-skywars.pdfIn PDF document text
    • http://www.anies.eu/images/cheated-on-roblox-girlfriend.pdfIn PDF document text
    • http://seniorenverband-brh-nds.de/images/free-girl-account-roblox.pdfIn PDF document text
    • https://socialvalue.gr/images/which-cheat-engine-address-is-robux.pdfIn PDF document text
    • http://sscclc.edu.ec/images/comment-crer-son-propre-hack-roblox.pdfIn PDF document text
    • http://ns1.radiofacil.net/images/how-to-hack-roblox-mobile-ios.pdfIn PDF document text
    • http://gaeconsultores.cl/images/free-dominus-roblox-catalog.pdfIn PDF document text
    • https://consorziocsa-asicaivano.it/images/what-to-do-if-your-account-gets-hacked-on-roblox.pdfIn PDF document text
    • http://www.lascalamilanowallcovering.it/images/free-2021-robux.pdfIn PDF document text
    • http://jdlrelocation.com/images/roblox-marketplace-for-free.pdfIn PDF document text
    • http://www.boic.nl/images/how-to-get-more-robux-using-cheat-engine.pdfIn PDF document text
    • https://luminouswisdom.org/images/roblox-prison-life-before-it-was-hacked-10.pdfIn PDF document text
    • http://www.fvsspa.com/images/gun-script-hack-roblox-pastebin-2021.pdfIn PDF document text
    • http://jaeger-bauplanung.de/images/roblox-online-play-free.pdfIn PDF document text
    • http://cristalysoptic.com/images/free-robux-script-hack.pdfIn PDF document text
    • http://petarda.hu/images/free-roblox-accounts-with-robux-2021-1.pdfIn PDF document text
    • https://verdensbarn.no/images/fre-robux-fro-reallllllll.pdfIn PDF document text
    • http://www.sanjosedeminas.gob.ec/images/how-are-roblox-cheaters-cheating.pdfIn PDF document text
    • http://halitbayramoglu.com.tr/images/roblox-hack-november-2021.pdfIn PDF document text
    • http://kingmusic.pl/images/all-script-roblox-hack.pdfIn PDF document text
    • http://www.fluidtech.hu/images/how-to-get-free-robux-in-roblox-pc-2021.pdfIn PDF document text
    • https://www.hotschool.com.au/images/hack-prison-life-roblox.pdfIn PDF document text
    • https://aniruddhasadm.com/images/how-to-get-free-robux-on-roblox-2021-hack.pdfIn PDF document text
    • http://cosver.eu/images/roblox-jailbreack-money-hack.pdfIn PDF document text
    • http://medinup.pt/images/roblox-fashion-famous-hack-script.pdfIn PDF document text
    • http://prodajalec.si/images/free-robux-cards-me-com.pdfIn PDF document text
    • http://ivpr.net/images/proxo-descargar-roblox-hack-we-are-devs.pdfIn PDF document text
    • http://www.exikom.com.ua/images/free-robux-is-gay.pdfIn PDF document text
    • http://britishcomics.com/images/roblox-cheat-jailbeak-2021.pdfIn PDF document text
    • http://baah.ca/images/hack-mod-roblox-apk.pdfIn PDF document text
    • https://www.cfdcnv.com/images/free-robux-password-required.pdfIn PDF document text
    • http://getthelook-bkk.com/images/free-roblox-exploit-trial.pdfIn PDF document text
    • http://eooe.gr/images/the-best-free-hacking-tool-for-roblox.pdfIn PDF document text
    • http://xn--80aeb7bbceeegc.xn--p1ai/images/free-robux-codes-for-robux.pdfIn PDF document text
    +13 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000081ad.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x81AD 25708 bytes
SHA-256: 8dc232cb326734312c7ba92d69c2797c8b05df73717e13660c58a63987acabe1
font_01_sfnt_off0000bc5c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBC5C 17972 bytes
SHA-256: b8fae7297cb16c82c41f097be1c28f0a9b398685b5de642a2030ded3beafa687