SUSPICIOUS
26
Risk Score
Machine Learning
- Nyx PDF Classifier clean score 0.0002
Heuristics 4
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
External URI info PDF_URIPDF contains an external URL action
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.pce-france.fr/conditions-generales.htm In PDF document text
- http://www.pce-instruments.com/PDF link annotation
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
- http://www.microsoft.com/Typography/0In PDF document text
- https://www.verisign.com/rpaIn PDF document text
- http://ocsp.verisign.com/ocsp/status0In PDF document text
- https://www.verisign.com/rpa0In PDF document text
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In PDF document text
- http://www.microsoft.com/typographyIn PDF document text
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_022_off00052893.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x52893 | 127260 bytes |
SHA-256: de8970d651030e6f36227f227208ba2590b78566b10d2c65893339c19cc5dd27 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C
|
|||
stream_042_off00076fd8.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x76FD8 | 20667 bytes |
SHA-256: 14474e4c3174a9b1a2462a31e461b4bff3e06ede42fd7d103682c2842a034848 |
|||
stream_048_off0007836a.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x7836A | 26862 bytes |
SHA-256: 809e51beff0de8b4ffed102f4af21c0031c3493a6ea2005d2b5d9c4285ec4628 |
|||
stream_081_off000d9007.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xD9007 | 330816 bytes |
SHA-256: f6a9ab43f6fd5a6b30edae3004e58894778043c0292ff39fbf5f4aee1f476b41 |
|||
stream_083_off000f4f3b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xF4F3B | 303052 bytes |
SHA-256: 7bea81cfd9f02f6c66922b96950605cdd25fccb4a5ab69d55c0e39749725136e |
|||
stream_085_off0010cf16.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x10CF16 | 724164 bytes |
SHA-256: 23f0eded9d0c218eeb38a5002d3b2c3905e78796badc315ebe8727cde2e9c06b |
|||
stream_087_off0011e520.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x11E520 | 228572 bytes |
SHA-256: 0b75faab31a7731eb1c594f996f8a0cc4c52e19405862b354352d4ff9a81fb0d |
|||
font_00_sfnt_off00157c6d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x157C6D | 44759 bytes |
SHA-256: c5d45101ebb0f924d76657fd1f1fff9b756e08028698a227f5016815d10719eb |
|||
font_01_sfnt_off0016668a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x16668A | 45391 bytes |
SHA-256: 445e7fd6707b3d34d9a89e2fc47b49cf064d488781d484b1862d8c8ac6e45bc6 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.