Malicious PDF — malware analysis report

Static analysis result for SHA-256 d640f1538aa7539b…

MALICIOUS

PDF

252.0 KB Created: 2021-04-04 15:52:34 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-29
MD5: ad7f3ad0b9fbf24352416896c62f30fb SHA-1: 0d6805f6b20fce3eac08a55ca901a5ef6bf76a41 SHA-256: d640f1538aa7539beacbc3932e3b94214f742c63280338c8eb0d06215691859b
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a specific phishing signature related to Roblox. The document body and extracted URLs promote free Roblox gift cards and robux, a common lure for phishing and scam operations. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest a phishing attack designed to redirect users to malicious websites.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2748

Heuristics 4

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/free-free-roblox-gift-cards PDF link annotation
    • http://gestibrok.com/images/roblox-free-robux-generator-no-survey-or-human-verification.pdfIn PDF document text
    • http://techmobil.pl/images/robux-theres-no-way-of-getting-free-robux.pdfIn PDF document text
    • http://www.apocalissedigesucristo.com/images/free-robux-apps-that-dont-use-adgates.pdfIn PDF document text
    • http://www.apocalissedigesucristo.com/images/roblox-robux-giver-hack-download.pdfIn PDF document text
    • https://waterpark.by:443/images/hack-free-codes-roblox.pdfIn PDF document text
    • https://inscastellar.cat/images/cheat-engine-fly-hack-roblox.pdfIn PDF document text
    • http://jaeger-bauplanung.de/images/free-hacking-for-roblox.pdfIn PDF document text
    • https://www.ncscolour.no/images/how-to-get-free-animations-on-roblox-2021.pdfIn PDF document text
    • http://www.compusiteinc.com/images/roblox-com-free-for-mobile.pdfIn PDF document text
    • http://webstan.be/images/robux-free-offers-video.pdfIn PDF document text
    • http://unc-europe.com/images/how-to-get-free-robux-on-roblox-ctrl-s.pdfIn PDF document text
    • http://aeroclub-kaernten.at/images/hack-to-get-free-robux-easy.pdfIn PDF document text
    • http://www.beantownlimo.com/images/free-robux-by-oints.pdfIn PDF document text
    • http://petarda.hu/images/how-to-cheat-piano-on-roblox.pdfIn PDF document text
    • http://egorplitka.ru/images/roblox-magic-simolator-hack-script.pdfIn PDF document text
    • http://ims-77.fr/images/robux-free-co.pdfIn PDF document text
    • http://ohsawamacrobiotics.com/images/dragon-ball-n-roblox-hack.pdfIn PDF document text
    • https://ogm-goettingen.de/images/hack-roblox-pizza-place.pdfIn PDF document text
    • http://www.hawler.in/images/how-to-get-free-robux-on-ipad-2021-easy.pdfIn PDF document text
    • http://www.sapaengineering.kz/images/console-hack-roblox.pdfIn PDF document text
    • https://corbo.ru/images/how-to-make-a-shirt-in-roblox-for-free.pdfIn PDF document text
    • https://wandpiraten.de/images/how-to-make-t-shirts-free-on-roblox.pdfIn PDF document text
    • http://sealysports.com/images/774-hack-roblox.pdfIn PDF document text
    • http://leigraphics.com/images/hack-to-find-youtubers-roblox.pdfIn PDF document text
    • http://nevesomost.by/images/commen-hacker-booga-clasic-sur-roblox-pc-2021.pdfIn PDF document text
    • http://www.agri-tech.com.au/images/roblox-how-to-hack-accounts-no-download.pdfIn PDF document text
    • http://fradiomas.com/images/how-to-see-roblox-shirts-for-free.pdfIn PDF document text
    • http://hk-kan.org/images/roblox-cheats-how-to-get-free-stuff.pdfIn PDF document text
    • http://panaceafamilymedicine.com/images/100-percent-free-robux.pdfIn PDF document text
    • http://www.friendshiptransport.net/images/roblox-glitch-site-free-robux.pdfIn PDF document text
    • https://rincondelentrenador.com/images/best-hacks-for-counter-blox-roblox-offensive.pdfIn PDF document text
    • http://iluvlocalplaces.com/images/como-hackear-cualqiuer-juego-de-roblox.pdfIn PDF document text
    • http://shiny-nn.ru/images/free-roblox-maps.pdfIn PDF document text
    • http://armatrutz.de/images/hack-para-robux.pdfIn PDF document text
    • http://gestibrok.com/images/horizon-alpha-money-hack-may-2021-roblox.pdfIn PDF document text
    • http://ctr74.net/images/how-to-get-free-robux-on-roblox-no-hack.pdfIn PDF document text
    • https://bancroftandsons.com/images/copy-and-paste-for-free-robux.pdfIn PDF document text
    • https://www.dierenartsberghman.be/images/password-cracker-roblox-download-free.pdfIn PDF document text
    • http://bkd1.balikpapan.go.id/images/roblox-hacker-outfit.pdfIn PDF document text
    • http://www.centromedicoaurora.it/images/free-roblox-jpg.pdfIn PDF document text
    • https://wandersuechtig.de/images/free-robux-card-number-enter-code.pdfIn PDF document text
    • http://force-seniorklub.dk/images/tai-roblox-hack.pdfIn PDF document text
    • https://gastroration.ru/images/free-robux-finish-obby-no-password.pdfIn PDF document text
    • http://gops.pruszczgdanski.pl/images/202100-robux-hack.pdfIn PDF document text
    • http://kim-kinder-im-mittelpunkt.de/images/free-ninja-animation-roblox-robuxian.pdfIn PDF document text
    • http://force-seniorklub.dk/images/how-to-get-free-robux-in-one-clip.pdfIn PDF document text
    • http://santeh-40.ru/images/hackear-cuentas-de-roblox-2021.pdfIn PDF document text
    • http://jugendfeuerwehr-scheinfeld.de/images/free-robux-codes-not-clickbait.pdfIn PDF document text
    • https://bancroftandsons.com/images/how-to-get-free-clothes-on-roblox-no-builders-club.pdfIn PDF document text
    +2 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00039087.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x39087 24356 bytes
SHA-256: 7b3bcaf71cd049f392e905b03d33ab642b50db270e8cb18fdc7d09990e1c68cf
font_01_sfnt_off0003c779.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3C779 18160 bytes
SHA-256: 5d50598f63f8705820ba2c92f04372b8d9a344d328ac62c365fd2b60ce4a4735