PDF static analysis report

Static analysis result for SHA-256 1ebf1fcbd35096e8…

SUSPICIOUS

PDF

1.87 MB Created: 2017-04-01 11:07:58 -05:00 Authoring application: Microsoft® Word 2016 First seen: 2021-09-13
MD5: baa929dd81936d790409209db495b66e SHA-1: d99af51354fadd45a9c5fe7df800c6eacfcb80a3 SHA-256: 1ebf1fcbd35096e81a49e007558515b4c3657c336cd6474d09122e2cfca4668a
44 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded URLs, with several flagged as suspicious or unknown reputation. The presence of the SE_LOLBIN_RUN_COMMAND heuristic suggests an attempt to execute commands, likely related to fetching content from these URLs. No scripts were extracted, but the overall pattern indicates a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 3

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.commercialalert.org/issues/ PDF link annotation
    • http://www.organicconsumers.ort/corp/In PDF document text
    • http://www.ixpg.comjbrand-creation.htrn1/In PDF document text
    • http://www.youtubc.com/Watch?v=W7%5b9%5d7MoBZbYIn PDF document text
    • http://library.thinkquest.ort/17360/text/tx-e-pod.htmlIn PDF document text
    • http://www.lungusa.org/site/pp.asp?c=dvLUK900E&bIn PDF document text
    • http://www.ixpg.comjbrand-creation.htmlIn PDF document text
    • http://Wwvmscienceclirect.com/science?_ob=ArticleIn PDF document text
    • http://publications.1nediapost.com/In PDF document text
    • http://Www.realityblurred.com/realitytvIn PDF document text
    • http://WWw.json1ine.com/storyIn PDF document text
    • http://WWW.nytimcs.com/2007/09In PDF document text
    • http://bgcooper.com/2007/05/07/casino-royal@-praIn PDF document text
    • http://daviddohbs.net/page2/page4/mirrorncuronsIn PDF document text
    • http://www.scenta.co.uk/scenta/news.cfm?cit_id=1In PDF document text
    • http://WWw.scenta.co.uk/scenta/news.cfm?cit__id=1In PDF document text
    • http://Wwwkansan.com/stories/2007In PDF document text
    • http://WWW.imbd.com/title/110070047In PDF document text
    • http://Wwwobservenguardian.co.uk_neWs/story/In PDF document text
    • http://WwW.dai1ymail.co.uk/pagesjlive/articles/teclvIn PDF document text
    • http://WWW.timeson1ine.co.uk/In PDF document text
    • http://WWW.querynycimes.com/gst/fullpage.html?sec=hIn PDF document text
    • http://WWW.ae���com/on_campus/In PDF document text
    • http://Wwwwashingtonpost.com/Wpdyn/contendIn PDF document text
    • http://archivesalon.com/mwt/sust/2001/02/27/mallo-In PDF document text
    • http://Wwwwtopnews.com/index.php?sid=14220585In PDF document text
    • http://WWW.thedailywashington.edu/article/2007In PDF document text
    • http://WwW.telegraph.coIn PDF document text
    • http://Wwwwillitblend.com/videos.aspX?type=unsafc8CIn PDF document text
    • http://WWW.youtubc.com/Watch?v=W7[9]7MoBZbYIn PDF document text
    • http://Wwwgetrichslowly.org/b1og/2007/10/02/the-In PDF document text
    • http://Wwwbusinessweek.com/magazine/content/07In PDF document text
    • http://wwwfreencwmexican.com/artsfeatures/In PDF document text
    • http://wWW.nytimesIn PDF document text
    • http://brandfailuresblogspot.com/2006/11/brand-In PDF document text
    • http://brandfailurcs.b1ogspot.corn/2006/11/brand-In PDF document text
    • http://inventorspot.com/articles/ads_prove_sex_sells__In PDF document text
    • http://WWW.americanscicntist.org/templatejBookRc-In PDF document text
    • http://WWW.ioWastateclaily.com/n1cWs/In PDF document text
    • http://WWW.s1ate.com/id/2092175/In PDF document text
    • http://WWw.slatc.com/id/2132600/In PDF document text
    • http://Www.news.u���.edu/2006/09/05/sexyaddIn PDF document text
    • http://Wwwindustryweck.com/ReaclArticle.aspxIn PDF document text
    • http://Www.sportIn PDF document text
    • http://HelloKittyHell.comIn PDF document text
    • http://www.sexinadvertisingblogs-In PDF document text
    • http://www.news.ufl.edu/2006/09/05/sexyaddIn PDF document text
    • http://www.theglobeandmail.com/servlet/Page/docu-In PDF document text
    • http://news.bbc.co.uk/2/hi/3758707.stmIn PDF document text
    • http://online.wsj.com/artide/SB120156034185223519In PDF document text
    +43 more URL(s)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_199_off0017543f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17543F 334756 bytes
SHA-256: 7bd819e9116743ecee1ff8c7ffd4e49ce9392e6f0d230fff5efc0e25c038212a
stream_200_off00191ca5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x191CA5 236360 bytes
SHA-256: 12ca3beed03da9158798bd1eac1a5b59b834e3d9a248b24b7001959707e16285

Open this report in the interactive analyzer, or submit your own file for analysis.