PDF static analysis report

Static analysis result for SHA-256 376df03608f3670c…

CLEAN

PDF

208.1 KB Created: 2018-04-27 12:37:22 +02:00 Authoring application: Crystal Reports (via Powered By Crystal) First seen: 2019-04-18
MD5: 8b1d1876812af03cb42c888c47413f67 SHA-1: 9cba1edbc143221e5120ab6df8d0603261efd529 SHA-256: 376df03608f3670cc674dc99c4b01617dc328bcee1fd16a4a3c1945f0177388e
8 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0023

Heuristics 4

  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://phukienden.com/365New/loginonlinelive/index.php PDF link annotation
    • http://bfc.mn/assets/layouts/memory/365New/loginonlinelive/index.phpIn PDF document text
    • http://bfc.mn/assets/layouts/memory/365New/loginonlinelive/index.php)/TypeIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.aiim.org/pdfa/ns/extension/In PDF document text
    • http://www.aiim.org/pdfa/ns/property#In PDF document text
    • http://www.aiim.org/pdfa/ns/schema#In PDF document text
    • http://www.aiim.org/pdfa/ns/id/In PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_021_off0001c150.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C150 5738 bytes
SHA-256: 815ab32950df7a8485c9ea3ec75030acb5830ffe8d181b0e17c33f05021fea6a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_00_sfnt_off0000c534.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC534 11676 bytes
SHA-256: 8619a74cfef92d6083d761c1297a312858e1b33f9a8d9a6d87dbac8740353722
font_01_sfnt_off000141a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x141A3 21907 bytes
SHA-256: a52a0451147c87e1b74fef17f7a7d56e5e335a920b03a8c62117fab3b1451a0c
font_03_cff_off0001f186.bin pdf-font-stream PDF embedded font (cff) at offset 0x1F186 4870 bytes
SHA-256: f1765c47924650380aeff965c9db5e7d7d2a1aba2ece1858ae7dafe4b9fd69f6
font_04_cff_off00023ee6.bin pdf-font-stream PDF embedded font (cff) at offset 0x23EE6 3433 bytes
SHA-256: d5eec27a61523446262f80d1946dd2f7eefeba6757a4efaa4e2ea753821901cc