Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2c3d02224f443b2…

MALICIOUS

PDF

60.6 KB Created: 2021-04-06 01:55:27 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7) First seen: 2021-10-14
MD5: cce3c6ea0d96c0b52b2d03a9ad6f4607 SHA-1: 7d68244312f06ef82cfecb0c4cec41854a6e9cf2 SHA-256: f2c3d02224f443b2b8c6126ef813c720f1eecc9d927cb8964a3b81948f58007d
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a URL that leads to a site offering a 'Roblox Robux Hack', indicating a social engineering lure for potentially unwanted or malicious software. The presence of ML_NYX_PDF_MALICIOUS and SE_LOLBIN_RUN_COMMAND heuristics further supports the malicious nature of the file. Although no scripts were explicitly extracted, the document body and heuristics suggest an attempt to trick users into downloading an application.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7417

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/android-oyun-club-roblox-robux-hack PDF link annotation
    • https://www.milewood.co.uk/images/free-robux-for-account.pdfIn PDF document text
    • http://www.mjclautrec.fr/images/how-to-get-free-robux-no-waiting-or-inspect.pdfIn PDF document text
    • http://www.mediaxin.net/images/free-games-to-take-on-roblox.pdfIn PDF document text
    • http://uctovnictvosnv.sk/images/free-roblox-hack-accounts.pdfIn PDF document text
    • http://jugendfeuerwehr-scheinfeld.de/images/roblox-windows-download-free.pdfIn PDF document text
    • https://sanjoseelectricians.net/images/how-to-get-free-packs-in-roblox.pdfIn PDF document text
    • http://nitetpl3.com/images/free-roblox-passwords-with-robux.pdfIn PDF document text
    • http://briankellyforcongress.com/images/free-music-roblox-id.pdfIn PDF document text
    • http://artindex.pro/images/get-free-robux-in-robolx.pdfIn PDF document text
    • http://bassacctaxservices.com/images/how-to-hack-roblox-jailbreak-with-cmd-prompt.pdfIn PDF document text
    • http://mostowicz.pl/images/youtube-hack-any-roblox-account-no-loading.pdfIn PDF document text
    • https://www.osoc.com/images/how-to-get-free-admin-in-roblox.pdfIn macro / runtime command snippet
    • http://amtabor2.at/images/how-to-hack-stats-on-roblox-dbz.pdfIn macro / runtime command snippet
    • http://michalmatys.pl/images/check-background-net-roblox-hack.pdfIn PDF document text
    • http://yogaschooldecypres.be/images/do-you-want-free-robux-song.pdfIn PDF document text
    • https://scraperite.com/images/codes-to-get-free-robux-2021.pdfIn PDF document text
    • http://www.sapaengineering.kz/images/how-to-hack-roblox-account-on-phone.pdfIn PDF document text
    • http://www.brtes.com/images/roblox-hack-injector-dll.pdfIn PDF document text
    • https://abouttimetech.com/images/free-admin-for-every-game-on-roblox.pdfIn PDF document text
    • http://behsanroshd.com/images/can-robux-generator-hacks-gmail.pdfIn PDF document text
    • http://uctovnictvosnv.sk/images/robux-hack-2021-working.pdfIn PDF document text
    • http://agrupamentoescolas-alfredo-da-silva.com/images/how-to-get-followers-on-roblox-for-free.pdfIn PDF document text
    • https://www.only-press.ru/images/bloxorz-free-robux.pdfIn PDF document text
    • https://consorziocsa-asicaivano.it/images/free-robux-hack-no-survey-no-verification.pdfIn PDF document text
    • http://abletrustcare.com/images/how-to-hack-roblox-with-console.pdfIn PDF document text
    • http://echosvoix.ch/images/free-cash-script-ultimate-driving-roblox.pdfIn PDF document text
    • https://septik-montag.ru/images/free-robux-no-offers-no-human-verification.pdfIn PDF document text
    • http://echosvoix.ch/images/bear-hack-roblox.pdfIn PDF document text
    • http://www.friendshiptransport.net/images/free-robux-no-buying-stuff.pdfIn PDF document text
    • http://iricamidelcuore.it/images/roblox-join-group-free-robux.pdfIn PDF document text
    • https://www.audipec.com.br/images/free-admin-on-roblox-pastebin.pdfIn PDF document text
    • https://www.stkdb.cz/images/booga-booga-roblox-hacker.pdfIn PDF document text
    • http://naturschutzgossau-zh.ch/images/free-hair-on-roblox-for-girls.pdfIn PDF document text
    • http://www.boic.nl/images/hack-and-glitches-for-roblox-phantom-forces.pdfIn PDF document text
    • http://sb2m.com.br/images/how-do-you-do-interest-free-roblox-games.pdfIn PDF document text
    • http://eventgo.fr/images/robux-hack-download-2021.pdfIn PDF document text
    • http://internetdeputy.com/images/how-to-get-roblox-dollars-for-free.pdfIn PDF document text
    • https://www.fhccu.com/images/how-to-change-my-roblox-username-for-free.pdfIn PDF document text
    • http://stackideas.com/images/how-to-get-dominus-for-free-in-roblox.pdfIn PDF document text
    • http://cekmekoygundem.com/images/roblox-lumber-tycoon-2-map-xbox-one-cheats.pdfIn PDF document text
    • http://cosver.eu/images/roblox-hack-in-all-game.pdfIn PDF document text
    • http://optsuvenir.by/images/free-robux-and-tix-app.pdfIn PDF document text
    • http://kim-kinder-im-mittelpunkt.de/images/free-robux-tix-generator-download.pdfIn PDF document text
    • http://yogaschooldecypres.be/images/descargar-hack-de-robux-para-roblox-2021.pdfIn PDF document text
    • http://kovroff.com.ua/images/roblox-trolling-outfit-for-free.pdfIn PDF document text
    • http://yochin.org.tw/images/omggh-new-roblox-hack-lumber-tycoon-gui.pdfIn PDF document text
    • http://ilcommercialista.info/images/i-was-hacked-on-roblox.pdfIn PDF document text
    • http://ferienwohnung-dorsten.com/images/roblox-recover-hacked-account-no-email.pdfIn PDF document text
    • http://reisebild.eu/images/roblox-boku-no-hero-academia-cheat-engine.pdfIn PDF document text
    +21 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00008af8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8AF8 28116 bytes
SHA-256: ee4b2c361da5572066c79656c1b5d73fb154e00c03cb41c767269173373e7021
font_01_sfnt_off0000c995.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC995 18204 bytes
SHA-256: 193d1f136f51c8883a09a4946bc76b5f4bd09b21271c187529cc93f74df67e54