PDF static analysis report

Static analysis result for SHA-256 264b0229776af7c8…

SUSPICIOUS

PDF

73.3 KB Created: 2021-06-01 03:35:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-22
MD5: 973105de3e61ea22e96927787c5b7155 SHA-1: c41265610f3857dbbbd88eb4745091ea31314d21 SHA-256: 264b0229776af7c8766dadbf5b9950a2a9188da15ba1d06821d811282e63a381
36 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as suspicious by an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://coretry.ru/pbw?utm_term=mathematical+analysis+by+malik+and+arora+5th+edition+pdf+download PDF link annotation
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://pupowivala.pbworks.com/f/vajaminegadamanajat.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/62da4208-8148-49cd-9eba-6f22eb53830c/letra_y_acordes_de_alabanza_el_poder_del_cristiano.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/ddde3f2b-bf3e-4679-8d11-8d4574530d2c/pipejedegiw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/aa3a778c-9660-47c1-8357-beb84e22b7c4/kali_linux_download_for_macbook_pro.pdfIn PDF document text
    • http://mumubib.pbworks.com/w/file/fetch/144416790/dan_devos_car_collection.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d91b9f61-606a-42e8-a5ca-bbac00457b5e/punubazafotigemijafifoxek.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/351d89d8-58d7-42ed-a612-f072948a1645/lidel.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/32291656-a5fb-4512-9fb2-c8e14bd9f428/11167400636.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2d35ee0b-b003-4af4-8402-08bfa1aa6101/the_secret_life_of_walter_mitty_1947_netflix.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/52323826-67e1-4abc-949a-3e0b79fc4fd4/league_of_legends_patch_time_euw.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d58b91fc-352e-4874-8cf8-a584d15ef2ef/75291167196.pdfIn PDF document text
    • http://mibegenav.pbworks.com/w/file/fetch/144436749/30246928495.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2ad053fb-f4c0-403d-8abe-65ab423d1b9d/1000_common_english_phrases.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/786e74ce-c5a6-4bd8-a37f-79d47ebbc46f/formulas_para_sacar_el_perimetro_y_area_de_figuras_geometricas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c47d6d04-74a4-4262-a9a6-2e6e1972fbec/bedava_trk_komedi_filmleri_indir.pdfIn PDF document text
    • http://sorawako.pbworks.com/w/file/fetch/144437493/how_to_tie_paracord_bracelet_with_buckle.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/c33a6f38-0769-4d28-9c79-022ccd7b7973/what_direction_is_the_sun_rising.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bc7ed40b-d0a5-400a-ad40-c0562663da69/82141362589.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6fe35e5c-60a3-40dc-a040-85a62e56e617/87475172698.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b120f4e3-f322-45fb-8cb3-44ba7c4cce8e/can_you_use_the_bissell_crosswave_pet_pro_on_carpet.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d7874639-0a72-4e34-9c3f-5bdf83f73300/litaned.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/06a46322-94f2-467c-b51d-3f12a8788a53/what_modem_router_works_with_verizon_fios.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000df43.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF43 5920 bytes
SHA-256: df12e00969a0cdd085e3b53ee105bdcdd243e45052d16900d3ed80466f3ec50e
font_01_sfnt_off0000f364.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF364 10596 bytes
SHA-256: b18bd1d498137ae693fa9cf0c995e92d97671f1e3ccb53eec60742f4870c7940