PDF static analysis report

Static analysis result for SHA-256 4770a57d5af27d29…

SUSPICIOUS

PDF

1.43 MB Created: 2016-12-30 10:01:38 +01:00 Authoring application: Microsoft® Word 2013 First seen: 2020-09-24
MD5: f6433b9d55dc0a52a1c2aab540d4e240 SHA-1: 1846a6a40f141567c7bd729eeaac85fc6f9b9b8f SHA-256: 4770a57d5af27d2987f9555d55c9abafdb99e902df4a51c67e88c8ac94e32bf2
26 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pce-france.fr/conditions-generales.htm In PDF document text
    • http://www.pce-instruments.com/PDF link annotation
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://www.microsoft.com/Typography/0In PDF document text
    • https://www.verisign.com/rpaIn PDF document text
    • http://ocsp.verisign.com/ocsp/status0In PDF document text
    • https://www.verisign.com/rpa0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_022_off00052893.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x52893 127260 bytes
SHA-256: de8970d651030e6f36227f227208ba2590b78566b10d2c65893339c19cc5dd27
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C
stream_042_off00076fd8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x76FD8 20667 bytes
SHA-256: 14474e4c3174a9b1a2462a31e461b4bff3e06ede42fd7d103682c2842a034848
stream_048_off0007836a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7836A 26862 bytes
SHA-256: 809e51beff0de8b4ffed102f4af21c0031c3493a6ea2005d2b5d9c4285ec4628
stream_081_off000d9007.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD9007 330816 bytes
SHA-256: f6a9ab43f6fd5a6b30edae3004e58894778043c0292ff39fbf5f4aee1f476b41
stream_083_off000f4f3b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF4F3B 303052 bytes
SHA-256: 7bea81cfd9f02f6c66922b96950605cdd25fccb4a5ab69d55c0e39749725136e
stream_085_off0010cf16.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10CF16 724164 bytes
SHA-256: 23f0eded9d0c218eeb38a5002d3b2c3905e78796badc315ebe8727cde2e9c06b
stream_087_off0011e520.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11E520 228572 bytes
SHA-256: 0b75faab31a7731eb1c594f996f8a0cc4c52e19405862b354352d4ff9a81fb0d
font_00_sfnt_off00157c6d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x157C6D 44759 bytes
SHA-256: c5d45101ebb0f924d76657fd1f1fff9b756e08028698a227f5016815d10719eb
font_01_sfnt_off0016668a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16668A 45391 bytes
SHA-256: 445e7fd6707b3d34d9a89e2fc47b49cf064d488781d484b1862d8c8ac6e45bc6