PDF static analysis report

Static analysis result for SHA-256 43017417fb2a4d63…

SUSPICIOUS

PDF

284.3 KB Created: 2019-04-03 10:11:13 UTC Authoring application: PDFescape Online - https://www.pdfescape.com (via RAD PDF 3.9.6.0 - https://www.radpdf.com) First seen: 2020-07-24
MD5: 78cb7c655707a804d5dfbdb25278c46f SHA-1: 8f403d2ff7b9703be4903627e767f00b7cb5b0fe SHA-256: 43017417fb2a4d63fffe9a91412a7e3a0a3a08f286039cbe4389feec6d25bd2e
42 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document uses a cloud document lure, impersonating services like OneDrive or Google Drive to trick the user. It contains a shortened URL (http://bit.ly/2VZvqY8) which, when expanded, likely leads to a malicious site. The presence of multiple OneDrive-themed URLs further supports this phishing pretext.

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 3

  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vhlpropiedadraiz.com/Mariepasqualee/0nedrive_1 In PDF document text
    • https://artforyourface.com/OneDriveIn PDF document text
    • https://www.radpdf.comIn PDF document text
    • https://www.radpdf.com)/Creator(PDFescapeIn PDF document text
    • https://www.pdfescape.com)/CreationDate(D:20190403101113Z)/ModDate(D:20190627205927ZIn PDF document text
    • http://www.dynaforms.comIn PDF document text
    • http://bit.ly/2VZvqY8In PDF document text
    • https://www.pdfescape.comIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000c396.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC396 46390 bytes
SHA-256: e70aef7fb3f2a90633646d3c3f1814734d38d12d59eaa730227dc1047899150a
font_00_sfnt_off00000997.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x997 79100 bytes
SHA-256: c3333bd24c08eb3b7b6fa668f9ff88a6605da659d896ca2d301746cda1827271
font_02_sfnt_off0001454b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1454B 40272 bytes
SHA-256: 55d449bbbed8fe7cc812a4968a06190ab794a9cd06c9c973f3409459d337dde0
font_03_sfnt_off0001b57b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B57B 42114 bytes
SHA-256: f1716b0c4a5e60abc092516aafaf1f7d45ab3acd96a881b9bb05d7672457ef97
font_04_sfnt_off00022ab6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x22AB6 34776 bytes
SHA-256: 0a2f048be8dcf44feae4f4e22def2e77404533ebda675b9141b70b461627c933
font_05_sfnt_off00025830.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25830 60480 bytes
SHA-256: c6ecf8878cfd2767ec830326e05e53cac1e43a9e5ecfff903fec2733b27932b8
font_06_sfnt_off0002e6ca.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2E6CA 41328 bytes
SHA-256: 11dc4b571809cdbab5fef8efb4724bd1ba8117196f5eb50571c197defe33c0cf
font_07_sfnt_off000359fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x359FD 37884 bytes
SHA-256: b3c5490ddd9e0e11a9eed00d9e40febf654059249aa9e1db82afd3fe7de74327