Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddd3e067d7628a9c…

MALICIOUS

PDF

251.4 KB Created: 2021-04-05 03:46:47 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-14
MD5: eed3af05ce92b3ec1e3abee03def1239 SHA-1: 4efda29b966c04c3eb72decc1e2966c58a2172c1 SHA-256: ddd3e067d7628a9c3bee32b1072e0c75f33d21c4200b9abec0a315d28279178b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing attempt related to Roblox. It contains multiple URLs that are likely part of a phishing or scam campaign, directing users to sites offering "hacks" or "cheats" for the game. No scripts were extracted, but the presence of external URIs and the phishing classification strongly suggest a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7201

Heuristics 4

  • ClamAV: Pdf.Phishing.Roblox062100-9873116-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Roblox062100-9873116-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/hack-bleach-new-hope-roblox PDF link annotation
    • http://unionmusicaldebenidorm.com/images/do-you-get-ip-banned-in-roblox-if-you-hack.pdfIn PDF document text
    • http://bullyinformate.org/images/how-to-insert-lua-script-into-roblox-using-cheat-engine.pdfIn PDF document text
    • http://www.htc.edu.au/images/roblox-free-download-computer.pdfIn PDF document text
    • http://bau-lk.de/images/roblox-get-free-robux-2021.pdfIn PDF document text
    • http://ecoleduchat-grenoble.fr/images/roblox-pet-simulator-free-game-passes.pdfIn PDF document text
    • http://karolinaherrera.com/images/how-to-get-free-robux-hack-ios.pdfIn PDF document text
    • http://www.eptaviation.com/images/roblox-vehicle-simulator-cheat-money.pdfIn PDF document text
    • http://muko-unterfranken.info/images/roblox-retail-tycoon-money-tree-cheat.pdfIn PDF document text
    • http://www.beantownlimo.com/images/roblox-jailbreak-cheat-engine-noclip.pdfIn PDF document text
    • http://apostolosandreaslemesou.com/images/how-to-get-free-robux-on-roblox-on-a-computer.pdfIn PDF document text
    • http://lllaw.eu/images/get-free-robux-hack-2021.pdfIn PDF document text
    • https://liceucastrodelapenya.com/images/how-to-get-free-robux-without-using-apps.pdfIn PDF document text
    • http://legitame.org/images/free-robux-hack-2021-april.pdfIn PDF document text
    • http://steklofara.com.ua/images/roblox-free-robot-animation-pack.pdfIn PDF document text
    • https://digitalsenseafrica.com.ng/images/free-robux-codes-no-survey-no-download-2021.pdfIn PDF document text
    • https://verdensbarn.no/images/free-robux-gift-card-codes-2021-december.pdfIn PDF document text
    • http://www.jureclomas.com.ar/images/how-to-have-free-robux-2021-and-exemple.pdfIn PDF document text
    • http://safwafurniture.com/images/how-can-you-get-free-robux-easy.pdfIn PDF document text
    • https://reggieslockandkey.com/images/roblox-free-items-september-2021.pdfIn PDF document text
    • http://amtabor2.at/images/comment-avoir-tout-les-oblets-free-sur-roblox.pdfIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00037c6f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x37C6F 26560 bytes
SHA-256: dcdfb75c07a6ff0d3c3032736f8ceeb262e79c04b1650bbc76a15c41664df913
font_01_sfnt_off0003b7c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3B7C2 6952 bytes
SHA-256: efafbfd5a903c95ff2c8a4b17b573f6eacb5d9dee2ee2dc5cb3b84a390354b72
font_02_sfnt_off0003c849.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3C849 17904 bytes
SHA-256: 07bd71d95ddf4094567c88f0652f89c994a6560809fbfda6f93c9488e58af639

Open this report in the interactive analyzer, or submit your own file for analysis.