PDF static analysis report

Static analysis result for SHA-256 47a0eba4d82515e2…

CLEAN

PDF

1.04 MB Created: 2021-07-06 09:20:10 -07:00 Authoring application: Writer (via OpenOffice.org 3.0) First seen: 2022-05-15
MD5: fafe65ff338c64e93113c3ce5bd34ca7 SHA-1: 528a4c9327696d454aa3ca92573b8be335935a60 SHA-256: 47a0eba4d82515e2ca1c02cd7cc56c3535cc62030a8d90a557b29c9915c333e9
6 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0005

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comhttp://www.monotype.com/html/type/license.html In PDF document text
    • https://www.jw.org/en/library/videos/#en/mediaitems/VODBibleTeachings/pub-jwbcov_201605_11_VIDEOPDF link annotation
    • http://www.monotype.com/html/mtname/ms_timesnewroman.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATIONIn PDF document text
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATIONIn PDF document text
    • http://www.gnu.org/licenses/lgpl.htmlKhmerIn PDF document text
    • http://www.geocities.com/dnhhnghttp://www.geocities.com/dnhhnghttp://www.khmeros.infoKhmerIn PDF document text
    • http://www.freedesktop.org/wiki/Software/CJKUnifontsIn PDF document text
    • http://www.freedesktop.org/wiki/Software/CJKUnifontsARPHICIn PDF document text
    • http://fontforge.sf.net/In PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_204_off000cbe03.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCBE03 52868 bytes
SHA-256: cddae67a9047a37f5b47183062232e01de9fb30a73f6e883424b612734070a13
font_00_sfnt_off000c3152.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC3152 25904 bytes
SHA-256: 2920f791f8cd7afb0e6caf464fb432312ee4d7c4791ac74b6a3b9478947d04c1
font_01_sfnt_off000c6929.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC6929 13972 bytes
SHA-256: da0d9f42b68015b3f287fd59a44b9780be22a90e9285cc282a13092bd5ff26f1
font_02_sfnt_off000c89cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC89CC 29600 bytes
SHA-256: 81166ddf6c10451b5d53dfb6eff51955d5bb68974aaa5887546dfce30d1517d2
font_04_sfnt_off000d42c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD42C6 59632 bytes
SHA-256: 1fa1c8de24fbce658aab536e1f93d0a39c7e6229c0850135a5f14a7202c952a6
font_05_type1_off000de13f.bin pdf-font-stream PDF embedded font (type1) at offset 0xDE13F 109425 bytes
SHA-256: 08c09c125f1f57509133457d90b4aa0d4698819bab9533b399a0e8f6a80b66dc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.