Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e550f488b7dc3be…

MALICIOUS

PDF

100.0 KB Created: 2021-06-13 08:37:05 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 019e9cb766eed536e5ad319e1cc27530 SHA-1: c37787769bb0e43df4f5a351f82c323768b92dc9 SHA-256: 3e550f488b7dc3be34856df3cad32318ac871aa7d8dab2de0b4dd9f74b5edea3
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'https://pistant.ru/pbw?utm_term=dnd+5e+list', which is likely the primary malicious payload delivery mechanism. The document body, though heavily obfuscated, contains references to 'Dnd 5e list' and 'wkhtmltopdf', suggesting a lure to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/pbw?utm_term=dnd+5e+list
    • https://cdn-cms.f-static.net/uploads/4465003/normal_6067434615dc0.pdf
    • https://cdn-cms.f-static.net/uploads/4387715/normal_6046393e84527.pdf
    • https://cdn-cms.f-static.net/uploads/4401559/normal_6035a1072e257.pdf
    • https://cdn-cms.f-static.net/uploads/4369671/normal_605d994681bd4.pdf
    • https://static.s123-cdn-static.com/uploads/4383929/normal_5fefcd1f81002.pdf
    • https://static.s123-cdn-static.com/uploads/4465388/normal_5ffa3f122d6cc.pdf
    • https://static.s123-cdn-static.com/uploads/4474977/normal_5fc83e5728caf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/6edbb854-0e21-490f-be46-f37ee9ee8621/nespresso_vertuoline_coffee_pods_costco.pdf
    • https://uploads.strikinglycdn.com/files/a84c8b47-d60e-453b-8d62-728df7b1a411/hp_pavilion_dv6000_weight.pdf
    • https://uploads.strikinglycdn.com/files/06dc3f87-0873-4e7f-b81f-1dbd5c26819c/xowirudokaxaxotekedofolet.pdf
    • http://zuxanuj.pbworks.com/f/11069557784.pdf
    • http://tijigika.pbworks.com/f/jetaja.pdf
    • https://uploads.strikinglycdn.com/files/ad952823-fc30-440d-b239-f21b627709fe/how_to_do_a_pecha_kucha_presentation.pdf
    • https://uploads.strikinglycdn.com/files/9b8629ef-53f9-47f0-a45b-b83f5333bcbe/juzikukozubabikutolox.pdf
    • https://uploads.strikinglycdn.com/files/100a046d-642e-479c-b60d-ae442f0d4114/lista_de_todas_las_peliculas_de_barbie_completas_en_espaol_latino.pdf
    • https://uploads.strikinglycdn.com/files/337f39f0-cfbd-4a27-aec5-572a271b619c/uniforme_de_psg_2020_para_dream_league_soccer_2019.pdf
    • https://uploads.strikinglycdn.com/files/7d6dd366-23d7-4c8f-bb82-290e0493d69e/ge_pension_plan_contact_number.pdf
    • https://uploads.strikinglycdn.com/files/3c986bc1-8d42-449d-8476-aef1e86c2ce5/vonuwirap.pdf
    • https://uploads.strikinglycdn.com/files/bf2fc302-5e25-4171-85e4-835e0b245c87/22192826350.pdf
    • https://uploads.strikinglycdn.com/files/ab7b0461-8b13-4360-8370-f67ceb4edd16/22801525581.pdf
    • https://uploads.strikinglycdn.com/files/276c7e3b-306f-4b6c-ae3a-ececb6c595fb/zowosanapegurivuvokis.pdf
    • http://tesesazef.pbworks.com/w/file/fetch/145057662/i5_2520m_review.pdf
    • http://mabigeroxoso.pbworks.com/w/file/fetch/145228797/streaming_my_stupid_boss_2_full_movie_lk21.pdf
    • https://uploads.strikinglycdn.com/files/913352cf-a777-4247-8d4e-eeb37b08d844/dyson_absolute_dc17_how_to_use.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013465.bin
1cad6f073541b5365661bbe3c1124a4cf62fda783ef490ff0aa3a8872f78433f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13465 4636 bytes
font_01_sfnt_off00014449.bin
13263076b419e9e9df5d25a974f30325f7745780dde79d73010eae0e679b2275		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14449 13280 bytes
font_02_sfnt_off00016df5.bin
2173a1880e9f774f759393e7d0d28dda91d04d8a3eae6bea41b822770b343b90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16DF5 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.