Malicious PDF — malware analysis report

Static analysis result for SHA-256 c619e0d36358efaa…

MALICIOUS

PDF

59.2 KB Created: 2021-04-05 18:20:07 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-24
MD5: 024f724d464d0c6d9975e8ad36166628 SHA-1: 23afce74d068f519c6c129d4067dd04330844df3 SHA-256: c619e0d36358efaa3852a6d23a3d67dc77a067ba3c0badcf8f24eb168cfa8a53
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains multiple heuristics indicating malicious intent, including brand impersonation for credential phishing (Facebook) and a lure related to Roblox cheat codes. The document explicitly instructs users to disable security software, a high-risk behavior. Numerous embedded URLs point to external sites, likely serving as landing pages for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7795

Heuristics 5

  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Brand-impersonation credential phishing lure high SE_BRAND_CREDENTIAL_PHISH
    Document impersonates a well-known consumer brand and uses account-security / verification language ('unusual activity', 'account on hold', 'verify your account') to steer the reader to a credential-harvesting link. Corroborated by: call-to-action link host does not match the impersonated brand: http://gaminggenerator.org/app/431946152/roblox-cheat-codes-rocitizensnovember-2021.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/roblox-cheat-codes-rocitizensnovember-2021 PDF link annotation
    • http://domaizdereva24.ru/images/roblox-login-hack.pdfIn PDF document text
    • http://hydroconseil.com/images/boku-no-roblox-remastered-cheat.pdfIn PDF document text
    • http://kruiz21.ru/images/how-to-get-packages-for-free-on-roblox.pdfIn PDF document text
    • http://baah.ca/images/mango-hack-roblox.pdfIn PDF document text
    • http://pdapanache.com/images/roblox-fly-cheat-code.pdfIn PDF document text
    • http://lakomat.by/images/free-robux-generator-roblox-no-survey-pc.pdfIn PDF document text
    • http://www.elis-strechy.cz/images/free-roblox-accounts-2021-with-obc.pdfIn PDF document text
    • https://amatq.ca/images/how-to-noclip-in-roblox-without-cheat-engine-2021.pdfIn PDF document text
    • http://www.nielsen2u.dk/images/cheat-invincible-roblox.pdfIn PDF document text
    • http://www.anies.eu/images/free-game-passes-on-roblox.pdfIn PDF document text
    • http://www.eptaviation.com/images/hack-dragon-ball-z-roblox.pdfIn PDF document text
    • http://haertetechnik-steinbach.de/images/city17-city-rp-roblox-free-guns.pdfIn PDF document text
    • https://lobergetart.se/images/can-you-hack-robux-using-promo-code-inspect-element.pdfIn PDF document text
    • http://meisterhaus-guterl.de/images/como-hacer-un-hack-en-roblox.pdfIn PDF document text
    • http://caraless.com/images/go-to-get-robux-for-free.pdfIn PDF document text
    • https://open-coffee-drimmelen-geertruidenberg.nl/images/free-robux-without-any-verification-or-downloads-or-offers.pdfIn PDF document text
    • https://pemadamapi.net/images/free-robux-generator-no-completing-offers.pdfIn PDF document text
    • https://piscinasmundoacuatico.com/images/free-robux-2021.pdfIn PDF document text
    • https://gafaseo.com/images/how-to-hack-roblox-step-by-step.pdfIn PDF document text
    • https://koeltotaal.com/images/roblox-hack-mobile-generator-net.pdfIn PDF document text
    • http://modenese.net/images/roblox-hoofer-art-hack.pdfIn PDF document text
    • https://www.cosmosdawn.net/images/cheats-for-roblox-android.pdfIn PDF document text
    • http://www.drent.se/images/how-to-hack-mad-city-roblox.pdfIn PDF document text
    • https://reggieslockandkey.com/images/how-to-cheat-in-robux-2021.pdfIn PDF document text
    • https://www.coriglianocalabro.it/images/free-robux-website-no-survey.pdfIn PDF document text
    • http://engelum.com/images/free-roblox-accounts-with-obc-2021-bugmenot.pdfIn PDF document text
    • http://texnes-plus.gr/images/comment-hacker-robux-sur-telephone.pdfIn PDF document text
    • http://www.eurosan1.ba/images/bloxpage-free-robux.pdfIn PDF document text
    • http://www.pro-futuro.eu/images/crack-x-roblox-hack.pdfIn PDF document text
    • http://ernstgloves.co.il/images/roblox-guns-r15-script-hack.pdfIn PDF document text
    • http://daksz.hu/images/free-printable-coloring-page-roblox.pdfIn PDF document text
    • http://jackson-pr.com/images/how-to-hack-into-peoples-roblox-accounts-2021.pdfIn PDF document text
    • http://immo360grad.com/images/comment-hacker-vehicule-simulator-sur-roblox-2021.pdfIn PDF document text
    • http://edelektronarzedzia.pl/images/roblox-free-military-clothes.pdfIn PDF document text
    • https://www.arquetopia.org/images/how-to-hack-roblox-accounts-2021-on-ipad.pdfIn PDF document text
    • http://techmobil.pl/images/free-roblox-rb-world-hacks.pdfIn PDF document text
    • http://stackideas.com/images/free-robux-picture-verification.pdfIn PDF document text
    • http://gops.pruszczgdanski.pl/images/www-free-robux-de.pdfIn PDF document text
    • http://jobsy.com.sg/images/cool-hacked-weapons-roblox-script.pdfIn PDF document text
    • http://uctovnictvosnv.sk/images/free-robux-quick-and-easy.pdfIn PDF document text
    • http://www.sitiamministrabili.it/images/bighead-roblox-free.pdfIn PDF document text
    • https://esl.ipb.ac.id/images/cheat-scripts-scp-site61-roleplay-roblox.pdfIn PDF document text
    • http://amtabor2.at/images/how-to-get-free-followers-roblox-2021-april.pdfIn PDF document text
    • http://columbuscigar.com/images/real-robux-hack-no-survey-2021-febuary.pdfIn PDF document text
    • http://kaleasm.org/images/granny-roblox-cheat-codes.pdfIn PDF document text
    • http://optsuvenir.by/images/lollipop-simulator-hack-sckitp-roblox.pdfIn PDF document text
    • https://studentcareerinfo.com/images/robux-gives-hack.pdfIn PDF document text
    • http://www.lovecraftiana.com.ar/images/roblox-hack-ninja-legends.pdfIn PDF document text
    • https://www.audipec.com.br/images/roblox-hacked-by-blueroes.pdfIn PDF document text
    +14 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000083cc.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x83CC 26748 bytes
SHA-256: 247f5ec97705c2aea45751497e3136e307866f57413728a2b524b763822e813e
font_01_sfnt_off0000c171.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC171 19160 bytes
SHA-256: 1fdff88ae97c51c74d69a269994c327d29f8637b04e28b0794f4d08cdc0e29af

Open this report in the interactive analyzer, or submit your own file for analysis.