Malicious PDF — malware analysis report

Static analysis result for SHA-256 b28bb9e905fd37d7…

MALICIOUS

PDF

47.2 KB Created: 2021-04-02 15:02:19 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-18
MD5: a96e9f5f6dd19ecd03c84651b3f0eb0a SHA-1: 96beb3fb0a6f48a76b865951f01f7f1ad35a3865 SHA-256: b28bb9e905fd37d73c4a17df089ad8be416db6c292c006f85717df320f3b9c4f
122 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The PDF document contains lures related to obtaining free items in Roblox, a common theme for malware distribution. Heuristics indicate the document attempts to trick the user into executing commands via the clipboard, likely to download a secondary payload from URLs such as http://gaminggenerator.org/app/431946152/how-to-get-a-free-vip-server-on-roblox-2021. The presence of 'cmd-juegos-hack-roblox-2021.pdf' and 'http://bkd1.balikpapan.go.id' further suggests an attempt to execute commands.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9192

Heuristics 5

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/how-to-get-a-free-vip-server-on-roblox-2021 PDF link annotation
    • https://www.foodsafety.cz/images/how-to-get-free-robux-mythical-chaos.pdfIn PDF document text
    • https://www.beaufortcollege.ie/images/ultimate-free-robux-generator.pdfIn PDF document text
    • http://www.zdravazena.sk/images/how-to-cheat-robux.pdfIn PDF document text
    • http://portal.crfsp.org.br/images/free-robux-voucher-codes.pdfIn PDF document text
    • https://crank.ee/images/roblox-free-tycoon.pdfIn PDF document text
    • http://echosvoix.ch/images/free-robux-on-roblox-without-human-verification.pdfIn PDF document text
    • http://www.sapaengineering.kz/images/free-robux-download.pdfIn PDF document text
    • https://www.eglihotel.gr/images/roblox-free-robux-free-download.pdfIn PDF document text
    • http://www.cuniv-naama.dz/images/roblox-rs-cheat-2021.pdfIn PDF document text
    • http://www.eurosan1.ba/images/roblox-scratchy-youtube-how-to-get-free-games.pdfIn PDF document text
    • https://eddar.fr/images/can-you-use-cheat-engine-on-roblox.pdfIn PDF document text
    • http://poltekkeskhjogja.ac.id/images/descargar-roblox-hack-robux-para-android.pdfIn PDF document text
    • https://www.eglihotel.gr/images/hack-pour-roblox.pdfIn PDF document text
    • http://salantiskis.lt/images/free-roblox-decal-pictures.pdfIn PDF document text
    • https://technospektr.com.ua/images/how-to-gte-free-robux-codes-for-pc-2021-october.pdfIn PDF document text
    • http://www.gadanie.lv/images/roblox-hack-freehackshop.pdfIn PDF document text
    • http://www.lycee-langevin-wallon.com/images/trybox-site-free-robux.pdfIn PDF document text
    • http://domaizdereva24.ru/images/free-roblox-catolog.pdfIn PDF document text
    • http://learningarabic.co.uk/images/roblox-dll-scripts-cheat-engine-pastebin.pdfIn PDF document text
    • http://www.mjclautrec.fr/images/free-400-robux-code.pdfIn PDF document text
    • https://pa-waingapu.go.id/images/comandos-cmd-juegos-hack-roblox-2021.pdfIn PDF document text
    • http://bkd1.balikpapan.go.id/images/how-to-download-a-roblox-jail-break-hack.pdfIn PDF document text
    • https://estalagemmonteverde.com.br/images/roblox-your-bizarre-adventure-steel-ball-run-hack.pdfIn PDF document text
    • http://aeroclub-kaernten.at/images/ways-to-get-robux-without-hacking.pdfIn PDF document text
    • https://www.lomrad.go.th/images/roblox-jailbreak-free-car-scripts.pdfIn PDF document text
    • https://esl.ipb.ac.id/images/roblox-tuxedo-t-shirt-free.pdfIn PDF document text
    • https://kimolos-link.gr/images/www-roblox-hack-download.pdfIn PDF document text
    • https://www.foodsafety.cz/images/free-pokemon-t-shirts-roblox.pdfIn PDF document text
    • https://www.beaufortcollege.ie/images/how-does-roblox-gg-hack-your-acc.pdfIn PDF document text
    • https://www.dierenartsberghman.be/images/how-to-hack-level-on-roblox-paintball.pdfIn PDF document text
    • http://www.htc.edu.au/images/free-roblox-vip-super-power-training-sim-servers.pdfIn PDF document text
    • https://www.cpnf.ch/images/how-to-get-free-robux-kid-friendly.pdfIn PDF document text
    • https://tokunfome.com.br/images/roblox-dinosaur-world-progression-cheat.pdfIn PDF document text
    • http://www.drent.se/images/roblox-grab-the-child-hacks.pdfIn PDF document text
    • https://eddar.fr/images/free-accounts-roblox-2021-live.pdfIn PDF document text
    • https://kimolos-link.gr/images/0-0-roblox-hacker.pdfIn PDF document text
    • https://www.seeingindependence.org/images/tuto-comment-hack-robux.pdfIn PDF document text
    • https://verdensbarn.no/images/roblox-studio-free-templates.pdfIn PDF document text
    • https://eddar.fr/images/free-roblox-promo-toy-keys.pdfIn PDF document text
    • http://www.hawler.in/images/robux-hack-no-verify.pdfIn PDF document text
    • https://corbo.ru/images/redeem-roblox-promotions-free-2021.pdfIn PDF document text
    • http://www.inservis.cl/images/roblox-jailbreak-hack-money-no-human-verification.pdfIn PDF document text
    • http://www.fanciullovito.it/images/free-pants-roblox-catalog.pdfIn PDF document text
    • http://nevesomost.by/images/get-free-robux-2021-no-survey.pdfIn PDF document text
    • https://www.air-shop.cz/images/cheat-codes-for-adopt-me-roblox.pdfIn PDF document text
    • https://www.lavigny.ch/images/tiny-tanks-roblox-hack.pdfIn PDF document text
    • http://cosver.eu/images/how-to-get-free-robux-robux-generator.pdfIn PDF document text
    • http://www.eurologistiki.gr/images/how-to-get-free-unlimited-robux-glitch.pdfIn PDF document text
    • https://sitam.co.in/images/roblox-free-play-no-app.pdfIn PDF document text
    +3 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00005b87.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5B87 24360 bytes
SHA-256: 1c4521c7833da87eec6be0a20e367ff1047d1d734ba167914fc77ffc353558b7
font_01_sfnt_off00009361.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9361 18556 bytes
SHA-256: b628ccda21b53b456932839e6e80d1256314f7366097718922598f4431cbd9eb

Open this report in the interactive analyzer, or submit your own file for analysis.