Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8518cd0dcc0874d…

MALICIOUS

PDF

58.8 KB Created: 2021-04-05 18:18:34 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 7c5561ed677de7efa551d315a7cdedd6 SHA-1: 6775bac562b5df3609d3bfec6429790cd3c0d048 SHA-256: e8518cd0dcc0874d525e94d78771c24e605f6d16f5d5e3932d59f92bdf4ae43c
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The document presents a lure for game-related scripts and employs an advance-fee scam, instructing the user to interact with embedded links. The presence of multiple URLs and the ML classifier's high confidence score indicate a malicious intent to direct users to download potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7795

Heuristics 5

  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/boku-no-roblox-remastered-op-gui-script-hack
    • http://www.sfakia-online.com/images/farmtown-roblox-cheats.pdf
    • http://cleanteclogistics.com/images/get-free-robux-on-ipad.pdf
    • http://www.marambio.com.ar/images/can-i-get-free-money-on-roblox-adopt-me-2021.pdf
    • http://webstan.be/images/hack-de-roblox-jailbreak-descargar.pdf
    • http://www.eaapiaria.es/images/redeem-card-roblox-free.pdf
    • http://www.mjclautrec.fr/images/is-kinetic-code-going-to-be-free-roblox.pdf
    • http://moralcenter.or.th/images/free-robux-pastebin-august-2021.pdf
    • http://bilhetim.com.br/images/descargar-programa-para-hackear-roblox.pdf
    • http://naturschutzgossau-zh.ch/images/robux-computer-hack.pdf
    • https://www.coriglianocalabro.it/images/fps-roblox-free.pdf
    • https://www.tsdb.com.au/images/free-roblox-promo-codes-2021-august.pdf
    • http://www.lycee-langevin-wallon.com/images/free-robux-givaways.pdf
    • https://septik-montag.ru/images/ss-hub-free-roblox.pdf
    • http://www.maakherumusic.net/images/free-robux-hack-without-downloading-apps.pdf
    • http://techmobil.pl/images/how-to-get-free-shirts-on-roblox-2021-without-bc.pdf
    • http://hemmet-strand.dk/images/how-to-equip-knife-roblox-hack.pdf
    • http://www.malonmalon.com.ar/images/free-bc-roblox-2021.pdf
    • http://palogar.es/images/code-kingdoms-free-roblox.pdf
    • http://musical-arts.de/images/free-robux-generator-google-chrome-plugin.pdf
    • https://www.udivadlahotel.cz/images/pastel-hair-roblox-free.pdf
    • http://eltisstudio.sk/images/how-hack-roblox-money.pdf
    • https://gestionpatrimonial.net/images/hacks-para-skywars-roblox-2021.pdf
    • http://jobsy.com.sg/images/roblox-hack-in-2021.pdf
    • http://www.rezbb.sk/images/free-robux-no-download-or-email.pdf
    • https://www.academiaanticorrupcion.org/images/roblox-wizard-life-galleons-hack.pdf
    • http://bolsaycapital.com/images/cheat-aimbot-roblox-mdiafire.pdf
    • http://www.lycee-langevin-wallon.com/images/how-to-hack-a-person-on-roblox-2021.pdf
    • http://osteonad.com/images/free-robloxs-username.pdf
    • http://zarinnameh.ir/images/roblox-hack-tool-robux-and-tix-no-survey.pdf
    • https://gabrieliassociati.com/images/roblox-how-to-get-free-gear-2021.pdf
    • http://swibome.nl/images/how-to-tell-if-you-have-been-hacked-on-roblox.pdf
    • http://pourvosvacances.com/images/how-to-hack-in-roblox-without-cheat-engine.pdf
    • http://vipservice-bg.com/images/change-your-in-game-name-on-roblox-hack.pdf
    • https://sitam.co.in/images/best-pklayed-games-free-roblox.pdf
    • https://itv-grabungen.de/images/ass-hurt-free-roblox.pdf
    • https://www.cfdcnv.com/images/cheat-engine-63-roblox-apocalypse-rising.pdf
    • https://gabrieliassociati.com/images/wwwrobux-party-com-free-robux.pdf
    • https://www.cnte.org.br/images/roblox-hacks-flame.pdf
    • http://dmoraitis.gr/images/vip-roblox-free.pdf
    • https://shimony.net/images/roblox-how-to-get-free-skins.pdf
    • http://domaizdereva24.ru/images/roblox-app-free-download-for-android.pdf
    • http://subarulegacy.com/images/roblox-legend-of-the-fallen-kingdom-2-rpg-cheats.pdf
    • http://optsuvenir.by/images/games-that-have-free-robux.pdf
    • http://grugliascogiovani.org/images/free-roblox-card-codes-not-used-2021.pdf
    • http://www.remiauclair.fr/images/getting-my-roblox-account-hacked.pdf
    • http://www.fluidtech.hu/images/roblox-hack-2021-robux.pdf
    • https://jdlgroup.ca/images/hack-pour-avoir-plein-de-lgendaire-roblox-bubble-gum.pdf
    • https://www.udivadlahotel.cz/images/free-roblox-exploits-2021.pdf
    • http://learningarabic.co.uk/images/how-to-hack-jailbreak-roblox-2021.pdf
    +20 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000084a7.bin
2340a21c79430d7c0d71aa5428dbdffae700549d04dc1d01ab421ce1ec93981d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x84A7 26808 bytes
font_01_sfnt_off0000c10d.bin
e2df4c54f2f0d04ded70c1ca17237419d2602e697790957b24ed054e87f4b126		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC10D 18720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.