Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2c8e7f71c9120dd…

MALICIOUS

PDF

61.0 KB Created: 2021-04-05 20:22:15 +07:00 Authoring application: wkhtmltopdf 0.12.6 (via Qt 4.8.7)
MD5: 7820ad3f1c4bdd00cd7ed0c5d15ee6c9 SHA-1: 849f156236fb331c95a440b1754d3364cb692ef9 SHA-256: f2c8e7f71c9120dd66202768e2894a1a2e780cfdf7d299e76ca0655849bf0a7d
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous embedded URLs, with a primary focus on 'free Robux' and game hacks, indicating a scam or phishing attempt. The presence of a visual download button and instructions for a password-protected archive suggests a multi-stage lure designed to bypass security controls and trick users into downloading malicious content or visiting scam websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6193

Heuristics 4

  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gaminggenerator.org/app/431946152/free-robux-websites-scam-link
    • http://ns1.radiofacil.net/images/roblox-grand-theft-auto-v-cheats.pdf
    • http://www.torvet11.dk/images/roblox-dungeon-quest-free-stats-reset.pdf
    • http://a1scan3d.com/images/safe-robux-hack.pdf
    • https://www.eglihotel.gr/images/roblox-hack-no-survey-no-download-2021.pdf
    • http://www.pro-futuro.eu/images/roblox-jailbreak-hacks-april-2021-working.pdf
    • https://www.wildpark-johannismuehle.de/images/free-roblox-skins-editor.pdf
    • https://www.tsdb.com.au/images/free-robux-hack-roblox-no-verification.pdf
    • http://www.pacoestrada.it/images/robux-hack-without-verification-required.pdf
    • http://arch-centr.ru/images/barren-roblox-hack.pdf
    • http://nosocomium.rv.ua/images/broken-bones-iv-hack-roblox.pdf
    • http://www.colma.it/images/delta-roblox-hack-buy.pdf
    • https://www.iadh.bi/images/cool-tshirts-roblox-for-free-sharkblox.pdf
    • http://garrisonjazz.com/images/how-to-change-roblox-name-free-2021.pdf
    • http://selectionspdf.fr/images/how-to-hack-roblox-mobile-with-ifile.pdf
    • https://servotecnica.com/images/free-robux-generator-2021-gamingthix.pdf
    • http://www.comitatoiseo.org/images/yt-how-to-hack-roblox.pdf
    • https://www.europap.cz/images/i-want-free-robux-please.pdf
    • http://erntefest2016.de/images/roblox-secret-cheat-codes-for-music-its-raining-tacos.pdf
    • http://unionmusicaldebenidorm.com/images/cheat-for-guessing-anime-roblox.pdf
    • http://legs11.co.za/images/free-hack-roblox-download.pdf
    • http://www.web.stc-part.co.th/images/free-robux-codes-2021.pdf
    • https://www.u-pin-it.com/images/free-games-with-gamespasses-roblox.pdf
    • https://www.utalii.ac.ke/images/roblox-noob-outfit-free.pdf
    • http://gitagasht.com/images/roblox-avatar-free-hair.pdf
    • http://fairwaygolftravel.co.uk/images/roblox-free-hats-generator.pdf
    • http://swibome.nl/images/roblox-newgen-free-robux.pdf
    • http://www.drent.se/images/como-ser-un-hacker-en-house-of-keys-roblox.pdf
    • http://www.art-concept.gr/images/free-robux-no-files.pdf
    • http://bb-im2.com/images/hwo-to-get-free-robux-with-out-password-or-hacking.pdf
    • http://bau-lk.de/images/free-roblox-scibt-pack-exploit-2021.pdf
    • http://daksz.hu/images/money-for-roblox-strucid-free.pdf
    • http://ns1.radiofacil.net/images/roblox-pet-simulator-cheats.pdf
    • http://prodent.com.ua/images/roblox-its-free-id.pdf
    • http://www.hawler.in/images/robux-card-codes-free.pdf
    • http://pacatuamigo.com/images/hack-voir-information-personnel-sur-roblox.pdf
    • http://www.mjclautrec.fr/images/roblox-free-password-and-usernames.pdf
    • https://cdu-lengerich.de/images/roblox-hacker-download.pdf
    • https://www.sitiwebjoomla.it/images/can-roblox-determine-the-ip-address-of-a-roblox-hacker.pdf
    • http://schrichte.de/images/roblox-hack-instalar.pdf
    • http://hondenspecialist-engelien.nl/images/admin-hack-roblox-stat-chage.pdf
    • https://esl.ipb.ac.id/images/best-roblox-cheats-and-hacks.pdf
    • http://nitetpl3.com/images/cheat-roblox-battle-royal-simulator.pdf
    • http://lv-siegen.de/images/roblox-how-to-hack-jailbreak.pdf
    • http://uptodate.az/images/free-robux-map-2021.pdf
    • http://cristalysoptic.com/images/roblox-character-edit-hack.pdf
    • http://www.agri-tech.com.au/images/is-it-possible-to-hack-roblox.pdf
    • http://www.visiblefilm.com/images/roblox-polyguns-hack-credits.pdf
    • http://www.inservis.cl/images/tower-battles-hack-roblox.pdf
    • http://cosver.eu/images/i-want-robux-for-free.pdf
    +15 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00008211.bin
c243d7f6e3d286feed46456a0cc32ad103781dc94a6871eb8d37606584d9eb48		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8211 26748 bytes
font_01_sfnt_off0000bf91.bin
4737c2778a085e0cb49e73f3b054b1a71e3f40720d213b4bfda97f95a31bfbf1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF91 2848 bytes
font_02_sfnt_off0000c952.bin
c913c8b5e2accff361db35b841a3d11b3a673e8c05e5aa46f258f1e7a9f2930a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC952 18820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.