Malicious PDF — malware analysis report

Static analysis result for SHA-256 d73976cc6542e88a…

MALICIOUS

PDF

79.3 KB Created: 2021-06-08 01:40:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 211415340d05b52638818fd1deac0181 SHA-1: 857bb3d7ab97dbd3a095225354d5b81febb40926 SHA-256: d73976cc6542e88afa67c6e1471ab70aa83c183484716fc69b62bf876d2313f0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically as a phishing trojan. It contains an embedded URI pointing to 'https://pistant.ru/pbw?utm_term=flying+car+games+unblocked', which is likely a phishing lure. The document body is heavily obfuscated, preventing a clear understanding of its direct content, but the presence of the malicious URL and the detection signatures strongly indicate a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://pistant.ru/pbw?utm_term=flying+car+games+unblocked
    • https://static.s123-cdn-static.com/uploads/4464877/normal_5fe38e1b77456.pdf
    • https://cdn-cms.f-static.net/uploads/4478669/normal_60b7e62030af2.pdf
    • https://cdn-cms.f-static.net/uploads/4461525/normal_606abf9aed721.pdf
    • https://cdn-cms.f-static.net/uploads/4385617/normal_6041bb6864a49.pdf
    • https://cdn-cms.f-static.net/uploads/4468828/normal_60683de98dcca.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/aaf8af3b-a881-4fc7-98d2-3c45f69f5e7c/matlab_plot_single_point_in_3d.pdf
    • http://pafunanukexe.pbworks.com/w/file/fetch/144522957/lixebutigafor.pdf
    • http://ziludezubeju.pbworks.com/f/simple_distillation_lab_report_discussion.pdf
    • http://mukonisu.pbworks.com/w/file/fetch/144449778/cuadernillo_para_aprender_ingles_basico.pdf
    • https://uploads.strikinglycdn.com/files/9100e318-bbd1-465d-9e04-8726880e2917/27628121124.pdf
    • https://uploads.strikinglycdn.com/files/73c932e0-01ad-44b9-81dc-099d52ad7cc1/what_is_community_development_and_social_work_all_about.pdf
    • http://tagexoba.pbworks.com/w/file/fetch/144422670/rukaxodegepofamopigi.pdf
    • https://uploads.strikinglycdn.com/files/62ebe39b-6aa9-40c9-b255-3c44baa22ac7/jasug.pdf
    • http://xibosini.pbworks.com/f/zodetulubinopuzesobuboma.pdf
    • http://beratirupo.pbworks.com/f/xaxosa.pdf
    • http://xibosini.pbworks.com/w/file/fetch/144498189/98135997062.pdf
    • http://sajateves.pbworks.com/f/72184003681.pdf
    • https://uploads.strikinglycdn.com/files/0735df8b-7b81-4bb8-a453-3ec9025c7d55/55302276977.pdf
    • https://uploads.strikinglycdn.com/files/641f7f63-13b9-4597-9d6f-97facd8e3773/xaxexoxexijeremax.pdf
    • https://uploads.strikinglycdn.com/files/42a08912-5572-46aa-80c1-d6f2017bb9e3/83083016322.pdf
    • http://xalomuzavege.pbworks.com/f/35757421224.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fa34.bin
d63955a7bbf8247670604f8426abea51dd713b74e153d6cbcfd2ae6bbb153c62		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA34 5520 bytes
font_01_sfnt_off00010cf9.bin
e79c1dc6b0c6011d9d384b9290154f9937343aac2d60f1544c26cc06dfdb5873		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CF9 10204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.