PDF static analysis report

Static analysis result for SHA-256 16a8289a1eb87d33…

SUSPICIOUS

PDF

87.5 KB Created: 2021-04-01 21:25:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2026-06-04
MD5: c8b98f2d053b645276b273d534ea5e4f SHA-1: 1edae075340c8d4a2075c9c055ab874263f8ca3a SHA-256: 16a8289a1eb87d333a7e11809787be7fa4b74f197c5b109d3115b2ebdf553d19
36 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that redirects to a suspicious domain, disguised as a legitimate document template. The ML classifier strongly indicates maliciousness, and the presence of external URIs suggests an attempt to download further content or redirect the user to a malicious site. No scripts were extracted, but the overall structure and embedded URI point to a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nipisod.ru/123?utm_term=navy+brag+sheet+template+2019 PDF link annotation
    • http://tejasatobes.medianewsonline.com/free_easy_piano_sheet_music_popular_songs.pdfIn PDF document text
    • http://fomijegi.mypressonline.com/dd_monster_name_generator.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375531/normal_605dc40e8873e.pdfIn PDF document text
    • https://cdn.sqhk.co/nipigagavadu/OjiNjct/cayman_islands_government_scholarship_form.pdfIn PDF document text
    • https://cdn.sqhk.co/pezolaje/fjjii3Y/panibupig.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4496812/normal_6043247a62917.pdfIn PDF document text
    • https://cdn.sqhk.co/mipijotom/ggie8ji/30884219813.pdfIn PDF document text
    • https://cdn.sqhk.co/nenexozoz/OMIPgi4/adls_webforms_website.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4393506/normal_6016e8ad36fec.pdfIn PDF document text
    • https://tilakajunobeka.weebly.com/uploads/1/3/0/7/130739719/vagawaniwowes_vobizog_gitijazudusun.pdfIn PDF document text
    • https://gigalenu.weebly.com/uploads/1/3/4/6/134652901/5614680.pdfIn PDF document text
    • http://gagivukamuw.getenjoyment.net/coarse_aggregate_test.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403820/normal_605f96ecda326.pdfIn PDF document text
    • https://cdn.sqhk.co/gabisolovima/dhfCEts/1954751867.pdfIn PDF document text
    • http://balegetiwep.mywebcommunity.org/jigupuxate.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://fomepufasele.atwebpages.com/jozazepivan.pdfIn PDF document text
    • https://ba30dffa-51fe-4caa-9472-6f142403a9bb.filesusr.com/ugd/c2007e_422f31cce27a495b95f426a379154720.pdf?index=trueIn PDF document text
    • http://solezod.myartsonline.com/adenitis_cervical_nios.pdfIn PDF document text
    • https://dd54f144-242a-4a88-9385-6c39f9996aab.filesusr.com/ugd/9f32c1_cc47f0aa2add46a1876b5fee64732234.pdf?index=trueIn PDF document text
    • https://c301b42c-deab-4116-afcd-a09dd0728425.filesusr.com/ugd/4bb894_f0feca214ff14224ba3bbec2d7eaaa14.pdf?index=trueIn PDF document text
    • https://c5e26362-acc3-4c40-9db4-ce0cbd355080.filesusr.com/ugd/681527_a12105a0d8cd4012b79a21f19e8b45e2.pdf?index=trueIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e9ae.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE9AE 12808 bytes
SHA-256: d46ecfaa2a0c536b1ed01c4546a43bda65d57792428c93e033961e5752f875f7
font_01_sfnt_off000113d7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x113D7 5984 bytes
SHA-256: ca8147ca2030c474eba7c1535d69533f9575b37d24426ded5ef68bc9bf12a1e3
font_02_sfnt_off00012822.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12822 11316 bytes
SHA-256: 0f5076ed5475ddcb2d440e0a11c192ca63d72400be9c7589852b88b8ac5fd4c5