Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd8c97110e44d5bf…

MALICIOUS

PDF

260.3 KB Created: 2021-04-04 12:36:45 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-09-23
MD5: 210cfd6dd8d7a5d2fa6139fd94816ba5 SHA-1: 21cf87ca730d750c5ed77ca9dd9a96d2f705c590 SHA-256: dd8c97110e44d5bf4b064437f816f79afb44aa7b3a0e77b5ad6d0e330d06f75c
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with a specific phishing signature related to Roblox. The document body, though heavily obfuscated, contains references to 'Roblox Lumber Tycoon Cheats' and the presence of external URIs pointing to similar game-related content strongly suggests a phishing or social engineering lure. The primary goal appears to be directing users to download or interact with content hosted on external sites, likely to compromise their accounts or deliver further malware.

Machine Learning

  • Nyx PDF Classifier clean score 0.0183

Heuristics 4

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/roblox-lumber-tycoon-cheats PDF link annotation
    • http://nosocomium.rv.ua/images/rbxrich-free-robux.pdfIn PDF document text
    • http://dos.most.gov.la/images/free-christmas-clothes-roblox-2021.pdfIn PDF document text
    • http://www.pacoestrada.it/images/free-robux-codes-free.pdfIn PDF document text
    • https://www.udivadlahotel.cz/images/robux-hack-2021-no-download.pdfIn PDF document text
    • http://lcs-schlieben.de/images/top-10-best-free-game-executors-roblox.pdfIn PDF document text
    • https://www.laarsenco.nl/images/how-do-you-speed-hack-on-roblox.pdfIn PDF document text
    • http://kruiz21.ru/images/iroblox-club-free-robux.pdfIn PDF document text
    • https://www.bmta.co.uk/images/roblox-thinknoodles-free-fall.pdfIn PDF document text
    • http://legs11.co.za/images/free-robux-hack-using-inspect.pdfIn PDF document text
    • http://vagency.us/images/game-save-gui-roblox-hack.pdfIn PDF document text
    • https://rincondelentrenador.com/images/abs-roblox-free.pdfIn PDF document text
    • https://www.audipec.com.br/images/how-to-get-free-robux-ipod-touch.pdfIn PDF document text
    • https://www.air-shop.cz/images/what-games-work-with-cheat-engine-roblox.pdfIn PDF document text
    • http://www.drent.se/images/roblox-flame-cheat.pdfIn PDF document text
    • https://www.iadh.bi/images/how-to-get-free-robux-2021-mobile.pdfIn PDF document text
    • http://steklofara.com.ua/images/hacks-pa-roblox.pdfIn PDF document text
    • http://hotel-buta.by/images/roblox-hack-game-download.pdfIn PDF document text
    • http://smart-pro.co.uk/images/roblox-games-with-free-music.pdfIn PDF document text
    • http://tecnodue.com/images/how-to-hack-roblox-moon-tycoon.pdfIn PDF document text
    • http://www.kalaaliaraq.dk/images/roblox-free-rare-accounts.pdfIn PDF document text
    • http://sandra-masemann.de/images/roblox-account-hacker-no-download.pdfIn PDF document text
    • http://aiyta.com/images/free-roblox-accounts-with-robux-2021-july.pdfIn PDF document text
    • http://cleanteclogistics.com/images/roblox-cheat-menu-download.pdfIn PDF document text
    • https://ballaratcaravans.com.au/images/logo-roblox-cafe-gfx-free.pdfIn PDF document text
    • http://huananhai.net/images/cheat-codes-in-phantom-forces-roblox.pdfIn PDF document text
    • https://amatq.ca/images/roblox-bubble-gum-simulator-cheat.pdfIn PDF document text
    • http://xn-----clcdhzcbmgnochhb1boe1a6b.xn--p1ai/images/how-to-hack-roblox-lumber-tycoon-2.pdfIn PDF document text
    • http://www.maakherumusic.net/images/how-to-get-free-robux-and-tix-on-ipad.pdfIn PDF document text
    • http://a1scan3d.com/images/how-to-get-free-robux-codes-2021-march.pdfIn PDF document text
    • https://www.gvandenakker.nl/images/free-robux-febuary-2021-no-waiting-times.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0003905c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3905C 25836 bytes
SHA-256: 02fc56b8f6841aa0c38626adbee9802939bd9ce6d0a94a7e896685fc2de74809
font_01_sfnt_off0003cbdd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3CBDD 11440 bytes
SHA-256: 154d59d1680f2d1e38ccb783d6997f344290d121007e51df331726de4128c12e
font_02_sfnt_off0003e6fe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3E6FE 18588 bytes
SHA-256: b5dad49b986c3513323b7f3603115e902929891f784dec15f4e9ddd8554593cc

Open this report in the interactive analyzer, or submit your own file for analysis.