PDF static analysis report

Static analysis result for SHA-256 09d4c5285a078261…

CLEAN

PDF

81.8 KB Created: 2017-01-07 19:12:56 +08:00 First seen: 2018-10-07
MD5: d17fe6e9cabe49420de61b2e1ba919c5 SHA-1: 12bf946b7020bf1e79851d6c0744d01add19ca23 SHA-256: 09d4c5285a078261f8d1dfab58019e3fb227e9466622e666f602bb07a109e639
24 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0337

Heuristics 3

  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.alistatrans.ru/bbs/hrbsslowrrYfmkQmzbYb16363915wsoa.pdf PDF link annotation
    • http://79.172.211.32/mail/JufvfiPxhklsb16357692Gd.pdfPDF link annotation
    • http://79.172.211.32/mail/boncQuuw16357219co.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/bk_hJlahlicQQv_Qwd_cdhY_YYwob16358449f.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/cQkxblktsadsikrYeskkJYJdu16358477YGz.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/eckbuJYJmobvu16364075xJrw.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/dQruPk_c_PYumnsPYtd_YltQPmwxz16354732wQs.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/akhhxr_lwslJPxmrmQfb16354273rJ.pdfIn PDF document text
    • http://79.172.211.32/mail/u_vixYdssamfk_16358175r.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/hsnd_Yzsrmzb16349865Yzud.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/rwcszccrsacvimokxJcbuuaa_eQ16354470_.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/GkhhGoiv16349217Gs.pdfIn PDF document text
    • http://79.172.211.32/mail/iaebf16357412xv.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/_iPzG16366896bJfJ.pdfIn PDF document text
    • http://79.172.211.32/mail/dlzxevobmfbfhPsGhr16357303ks.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/QJPbiv16358535_.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/sbPoezxmb16349417Pl.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/vivva_lehadaoGP_Jtr16354475Y.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/cGmvttGrfhzf16349672ruwP.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/eb_khkuiuiJtv16354761m.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/hahf16358571kbsf.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/wrJtnwilklmQ16350029JbGl.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/wvrcGrnltfkh16366911hz.pdfIn PDF document text
    • http://79.172.211.32/mail/zuJarzcdhobm_idvJaQk_kaQQaQzuu16357194ln.pdfIn PDF document text
    • http://79.172.211.32/mail/QacavrmdJxeenYblQrh16366248Gav.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/kzwxtldcbPProlQvwmxPwfuollrYhw16349944Pta.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/zcbaachxhe16366991fb.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/kkhouizlmeiuoJJu16354238du.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/wnnmto_nuakmz_nzbfd16355006zu.pdfIn PDF document text
    • http://79.172.211.32/mail/diuQ_owosaJYfohh16366470lckw.pdfIn PDF document text
    • http://79.172.211.32/mail/nevoGecPdb_bw16357507Jt.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/QcJckzkesnYhk_lzQenkPemPYxPP16365172ua.pdfIn PDF document text
    • http://www.masterdea.it/bbs/nfrzewunbnxfrercazQcbrY15205167ed.pdfIn PDF document text
    • http://www.masterdea.it/mobile/oGicmtmYQ_JQvGuthrJz15133664us.pdfIn PDF document text
    • http://www.masterdea.it/treatment/wYlzek_QQJvQwJdf_sl15135287YG.pdfIn PDF document text
    • http://www.masterdea.it/mobile/szov_vkvdcnJYf_lil_unlwY15348498Y.pdfIn PDF document text
    • http://www.masterdea.it/mobile/bsitGkoPkufbdixYcPo15179443o_.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/dhYPPQomxkmdGa_16354576n.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/_oabzfzQshJolivsv16349411kk.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/YQY16367080Qs.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/cbJhn16349990_etr.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/fsec_nGwcQ_GxPJhw16354705Q.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/ucQzhbbGmx16359074ohdb.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/_YePrccnekohzfPzkGQG16359127rG.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/xki_16349611drsP.pdfIn PDF document text
    • http://79.172.211.32/mail/nln__rzwak_nicueb16357838_QcY.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/xbcPGolubPGatnm16354986iik.pdfIn PDF document text
    • http://79.172.211.32/mail/enskiPa16357620d_fz.pdfIn PDF document text
    • http://79.172.211.32/mail/lJc_fknGxokht16366335nz.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/JtYdPmhtrrwwbfkQm16354454Yerm.pdfIn PDF document text
    +25 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000a0b3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA0B3 19856 bytes
SHA-256: a930245e90be17a336a7679d31e9d416ddec66c65020bec75b59b2e2bfc19120
font_01_sfnt_off0000d645.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD645 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off00010c06.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10C06 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1