PDF static analysis report

Static analysis result for SHA-256 30ebf8629b806ad0…

CLEAN

PDF

28.11 MB First seen: 2020-09-24
MD5: 752458727d4e69b3f29f3a3b22c41ad8 SHA-1: e24bc33dfb91653a00640c87db1c5e3fac0abfa6 SHA-256: 30ebf8629b806ad08e01da52415ed60a16c9becdce9bc79016e015d9fb09415b
22 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file exhibits characteristics of malicious intent, including an embedded JavaScript stream and an unusually high number of stream objects, indicative of potential obfuscation or exploit delivery. While the document body is unreadable, the presence of embedded JS and numerous streams strongly suggests an attempt to execute code. The embedded URLs, though mostly benign, include two unknown ones that warrant attention.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2923

Heuristics 2

  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://www.npes.org/pdfx/ns/id/In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00109ed8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x109ED8 87108 bytes
SHA-256: a66964a267a5f350297ce13581c465e5bce2011d4e553b735ebe82ff52c62de8
icc_00_off00001ff6.icc pdf-icc-profile PDF ICC profile at offset 0x1FF6 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_cff_off01b8dfea.bin pdf-font-stream PDF embedded font (cff) at offset 0x1B8DFEA 286 bytes
SHA-256: f73de91edcfaea2b23a1e8d4ddb2e9b9a927bfed8b628bcdfb4f449b51f8c2c2