Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4d5ab9fb76d30bc…

MALICIOUS

PDF

52.0 KB Created: 2021-04-06 13:17:03 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-16
MD5: ee3b1f8814f5a290faeb275f19d0c057 SHA-1: 255694c07143d0cd5069db78991ea926fd8e67f5 SHA-256: b4d5ab9fb76d30bc19435b508a4ba8d7e587c71cc665f55f5efde30d0cea304c
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains multiple embedded URLs, with a primary link directing users to a website promising Roblox game hacks. This lure, combined with heuristics indicating a 'game hack redirect' and a 'visual download button', strongly suggests a social engineering attack. While no scripts were extracted, the presence of numerous malicious-looking URLs points to a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8896

Heuristics 4

  • PDF links to a 'free generator / game hack' redirector critical PDF_GAME_HACK_REDIRECT_LURE
    PDF's clickable action targets a redirector of the form /app/<id>/<slug>-game-hack — the landing-page shape of a large SEO 'free spins / generator / game hack' lure family that funnels victims through rotating disposable hosts to a malware/scam payload. The multi-link variants also trip ML/link-farm rules; this catches the single-link variants that otherwise score clean. CRITICAL on its own: the /app/<id>/<slug>-game-hack path shape is unambiguous scam infra, and the host rotates so a host-list match can't be relied on.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://enigmagenerator.com/app/431946152/roblox-game-hack PDF link annotation
    • http://depelem.fr/images/free-doumins-to-wear-out-of-game-roblox.pdfIn PDF document text
    • http://ozonizarint.com/images/free-coins-roblox-assassin.pdfIn PDF document text
    • http://www.ideastreet.it/images/roblox-cheat-engine-pastebin.pdfIn PDF document text
    • http://famoirs.co.uk/images/how-to-hack-roblox-in-poison.pdfIn PDF document text
    • http://svp-steinmaur.ch/images/free-robux-grould.pdfIn PDF document text
    • http://www.reikiusui.it/images/roblox-noot-noot-hack.pdfIn PDF document text
    • http://www.zdravazena.sk/images/free-roblox-promo-codes-2021-for-robux.pdfIn PDF document text
    • https://verdensbarn.no/images/hack-roblox-dragon-ball-rage-2021.pdfIn PDF document text
    • http://solidkom.ch/images/roblox-giant-dance-off-simulator-free-maschrum-pack.pdfIn PDF document text
    • https://www.tqma.com.ec/images/free-robux-no-human-verification-2021-or-survey-no-download.pdfIn PDF document text
    • http://lichtdrukkerijwijchen.nl/images/dbz-galaxy-burst-roblox-cheats.pdfIn PDF document text
    • https://winterpol.eu/images/roblox-free-robux-pastebin-2021.pdfIn PDF document text
    • http://lksim.com/images/how-to-have-a-coo-roblox-avatar-for-free.pdfIn PDF document text
    • http://www.beged.at/images/free-robux-games-2021.pdfIn PDF document text
    • http://energotestcontrol.ru/images/how-to-get-free-roblox-on-a-computer.pdfIn PDF document text
    • http://nevesomost.by/images/roblox-walk-speed-hack.pdfIn PDF document text
    • http://sullivanhall.co.nz/images/free-roblox-exploits-2021-for-mac.pdfIn PDF document text
    • http://dos.most.gov.la/images/asshurt-roblox-hack.pdfIn PDF document text
    • http://piadaandco.it/images/gift-card-generator-hack-robux-codes-hot.pdfIn PDF document text
    • http://www.comitatoiseo.org/images/free-robux-gift-card-numbers-2021.pdfIn PDF document text
    • http://lookpaineis.com.br/images/roblox-premium-account-free.pdfIn PDF document text
    • https://studiodegaetano.it/images/robux-hack-generator-club.pdfIn PDF document text
    • https://www.cpnf.ch/images/how-get-free-roblox.pdfIn PDF document text
    • http://ghegamethu.vn/images/roblox-health-hack-cheat-engine.pdfIn PDF document text
    • http://homequeen.de/images/how-to-get-free-robux-easy-1-munuit.pdfIn PDF document text
    • http://www.cuniv-naama.dz/images/how-to-hack-roblox-accounts-online.pdfIn PDF document text
    • http://kcr-rochlitz.de/images/robux-hack-pastebincom-raw.pdfIn PDF document text
    • http://www.gadanie.lv/images/download-flying-hack-for-roblox.pdfIn PDF document text
    • http://italymania.ru/images/how-to-hack-in-nba-phenom-roblox.pdfIn PDF document text
    • http://agrupamentoescolas-alfredo-da-silva.com/images/earn-rixty-codes-for-free-robux.pdfIn PDF document text
    • http://almacargo.com/images/free-roblox-code-generator.pdfIn PDF document text
    • http://force-seniorklub.dk/images/files-blue-roblox-hack-download.pdfIn PDF document text
    • http://medinup.pt/images/free-robux-wallpaper.pdfIn PDF document text
    • https://www.audev.com/images/how-to-use-editthiscooke-to-hack-accounts-in-roblox.pdfIn PDF document text
    • http://behsanroshd.com/images/free-stob-in-roblox.pdfIn PDF document text
    • https://www.albisser.ch/images/rbx-boots-free-robux.pdfIn PDF document text
    • https://reggieslockandkey.com/images/free-youtube-shirt-roblox.pdfIn PDF document text
    • http://bunadsmaria.com/images/how-to-get-robux-free-no-hack.pdfIn PDF document text
    • http://www.anies.eu/images/how-to-hack-giovannis-roblox-account.pdfIn PDF document text
    • http://energotestcontrol.ru/images/hacken-on-roblox.pdfIn PDF document text
    • http://www.web.stc-part.co.th/images/roblox-noob-costume-free.pdfIn PDF document text
    • http://evro-okna.net/images/roblox-cheat-engine-robux-hack-2021.pdfIn PDF document text
    • https://www.romedia.gr/images/roblox-hack-free-robux-pastebin.pdfIn PDF document text
    • http://yochin.org.tw/images/i-succ-for-free-robux.pdfIn PDF document text
    • http://berntfoto.dk/images/free-robux-codes-november-2021.pdfIn PDF document text
    • https://gimnaziya6.kz/images/how-to-get-free-robux-in-10-minutes.pdfIn PDF document text
    • http://www.barkas-n-i.gr/images/roblox-how-to-get-free-gift-card.pdfIn PDF document text
    • http://sscclc.edu.ec/images/image-veste-army-free-roblox.pdfIn PDF document text
    • http://www.mjclautrec.fr/images/free-wings-in-roblox.pdfIn PDF document text
    +6 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00006d6a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6D6A 25732 bytes
SHA-256: 64bf9f574620185af182ee0935412a9977baf7f58c0076824a1d96efcdf4b24e
font_01_sfnt_off0000a81a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA81A 18076 bytes
SHA-256: 17031ed69604368227687d32a72a3ee5fae35d42b72e511c9f34dd2f0a059184

Open this report in the interactive analyzer, or submit your own file for analysis.