PDF static analysis report

Static analysis result for SHA-256 48ff79b944fbae27…

SUSPICIOUS

PDF

4.56 MB Created: 2018-08-11 09:21:00 +02:00 Authoring application: Adobe Illustrator(R) 17.0 (via iText® 7.1.1 ©2000-2018 iText Group NV (AGPL-version)) First seen: 2026-06-04
MD5: d7ad1e283be9c9d9f28f97ee21cec6e7 SHA-1: 44648e441f054571ebb621024da0faacc191c548 SHA-256: 48ff79b944fbae27032963f0e62ccba9c4f9f68daf3f60f3af56952aec763b5e
46 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded URLs and references to technical content, including a specific paper and journal. One heuristic indicates the presence of LOLBin token sequences in the document text, suggesting an attempt to execute commands. While no scripts were explicitly extracted, the combination of embedded URLs and command-related heuristics points towards a potential phishing or malware delivery mechanism. The document body was heavily obfuscated and unreadable.

Machine Learning

  • Nyx PDF Classifier clean score 0.0005

Heuristics 4

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.vectornav.com In PDF document text
    • http://owenson.me/build-your-own-quadcopter-autopilot/DCMDraft2.pdfIn PDF document text
    • http://www.starlino.com/imu_guide.html/In PDF document text
    • https://www.xsens.com/products/mti-100-series/In PDF document text
    • https://developer.androidIn PDF document text
    • http://www.gust.org.plIn PDF document text
    • http://www.gust.org.pl/fonts/licenses/GUST-FONT-LICENSE.txtIn PDF document text
    • http://creativecommons.org/licenses/by/4.0/In PDF document text
    • http://www.mdpi.com/journal/sensorsPDF link annotation
    • http://www.mdpi.comPDF link annotation
    • https://orcid.org/0000-0002-2309-085XIn PDF document text
    • http://dx.doi.org/10.3390/s18082616In PDF document text
    • http://dx.doi.org/10.1109/VSMM.2016.7863198In PDF document text
    • http://dx.doi.org/10.1016/j.isprsjprs.2009.10.001In PDF document text
    • http://dx.doi.org/10.1016/j.isprsjprs.2010.12.004In PDF document text
    • http://dx.doi.org/10.1186/s40064-015-1572-8In PDF document text
    • http://www.ncbi.nlm.nih.gov/pubmed/26753121In PDF document text
    • http://dx.doi.org/10.12681/eadd/28184In PDF document text
    • http://dx.doi.org/10.1109/DASC.2003.1245952In PDF document text
    • http://dx.doi.org/10.1109/TIM.2008.2006137In PDF document text
    • http://dx.doi.org/10.5194/isprsarchives-XL-3-9-2014In PDF document text
    • http://dx.doi.org/10.1088/0957-0233/19/8/085202In PDF document text
    • http://dx.doi.org/10.1080/10095020.2018.1424085In PDF document text
    • http://dx.doi.org/10.1109/ICIF.2006.301604In PDF document text
    • http://dx.doi.org/10.3390/s17102164In PDF document text
    • http://www.ncbi.nlm.nih.gov/pubmed/28934102In PDF document text
    • http://dx.doi.org/10.3390/s111009182In PDF document text
    • http://www.ncbi.nlm.nih.gov/pubmed/22163689In PDF document text
    • http://dx.doi.org/10.3390/s17092146In PDF document text
    • http://www.ncbi.nlm.nih.gov/pubmed/28925979In PDF document text
    • http://dx.doi.org/10.1109/IROS.2008.4650766In PDF document text
    • http://dx.doi.org/10.1109/78.978396In PDF document text
    • http://dx.doi.org/10.1016/j.sna.2007.05.008In PDF document text
    • http://dx.doi.org/10.1109/PLANS.2000.838300In PDF document text
    • https://www.researchgate.net/publication/200045331_An_Introduction_to_the_Kalman_FilterIn PDF document text
    • https://developer.android.com/guide/components/servicesIn PDF document text
    • https://developer.android.com/guide/components/aidlIn PDF document text
    • http://creativecommons.org/In PDF document text
    • http://www.mdpi.com/1424-8220/18/8/2616?type=check_update&version=2In PDF document text
    • http://tug.org/fonts/licenses/GUST-FONT-LICENSE.txtIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Font#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    +21 more URL(s)

Extracted artifacts 21

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_021_off000204f9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x204F9 15752 bytes
SHA-256: 64202cf04b6ca119a9f7480467c4fc68115929ee0e1b56844de4c54627a83b08
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
stream_024_off00024e2a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x24E2A 19555 bytes
SHA-256: 417fc669ceda1bdfcce6e98d647432b28ca7ffb0ddaa395ae89f405bec0ff16a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
226 of 373 identifiers look randomly generated (e.g. 'DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8f'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_041_off0003e9f3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E9F3 176140 bytes
SHA-256: d178cb61a4f3563a9fd419a16d8e9c9d49e675c8a4cc00cccb071a91f1cc8605
stream_045_off00084aec.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x84AEC 44644 bytes
SHA-256: b6a92ccbb20c1b0829d9626c90d95a99b1ecaa092b413506d6a564f7f6d7b43a
font_00_type1_off0000f23f.bin pdf-font-stream PDF embedded font (type1) at offset 0xF23F 19521 bytes
SHA-256: 7dd90e53239f84520c880ce818143c3017fc1f63ff9b1c0c507d256a48233b34
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
font_01_type1_off00013f6b.bin pdf-font-stream PDF embedded font (type1) at offset 0x13F6B 22648 bytes
SHA-256: a0c0f97ce941f8d94a35a71903ada17af4449addf17ec705b6d3e162b208b6b8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
font_02_type1_off000199fe.bin pdf-font-stream PDF embedded font (type1) at offset 0x199FE 26676 bytes
SHA-256: e97aa1de573f002cadb544c683e08f51c77e1d87bce9582a23e5bb6875eb9fd4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
font_04_cff_off00024a07.bin pdf-font-stream PDF embedded font (cff) at offset 0x24A07 986 bytes
SHA-256: a3b99d25fc3e647f2ed20b333e058620b6becddc1245c2ebdc6377e770fd7dea
font_05_cff_off000318f1.bin pdf-font-stream PDF embedded font (cff) at offset 0x318F1 1986 bytes
SHA-256: 678a4080f77bb3bea4d0a6d848cb9b46ed10143ee9a27149f87a8ad3df277bdb
font_06_cff_off000320d4.bin pdf-font-stream PDF embedded font (cff) at offset 0x320D4 664 bytes
SHA-256: ec876e3a450383cbb87c280a9b5bce6020072faab44354b38cf2c203180c0bef
font_07_cff_off000325af.bin pdf-font-stream PDF embedded font (cff) at offset 0x325AF 2444 bytes
SHA-256: 34327ebb61bef9818d2f8b5350259ddcc8ff55122f1ca7840c4d073b2a99f8dd
font_08_type1_off00032fe6.bin pdf-font-stream PDF embedded font (type1) at offset 0x32FE6 7810 bytes
SHA-256: e4f14d22cb83550337a1887828c1aaeaa9ff57cf3e3e9566119abfe21dc2680f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.84, consistent with packed or encrypted content.
font_09_type1_off00034f0e.bin pdf-font-stream PDF embedded font (type1) at offset 0x34F0E 12341 bytes
SHA-256: 68178f62c0dadc3f46a31262faacaea0c0e37bfffcc5ad8b7b86055e89051ef5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_10_type1_off0003807b.bin pdf-font-stream PDF embedded font (type1) at offset 0x3807B 8364 bytes
SHA-256: 9f30bf24982121aa32fe47bcf06d238afc508ac7011d6c0852f8b90503b0356d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
font_11_type1_off0003a1a1.bin pdf-font-stream PDF embedded font (type1) at offset 0x3A1A1 5120 bytes
SHA-256: 507a8ccb5bae6f5c0634766aea02b2ee17d57eff4bc5343c741d9c345e277c7e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.71, consistent with packed or encrypted content.
font_12_type1_off0003b6c8.bin pdf-font-stream PDF embedded font (type1) at offset 0x3B6C8 7698 bytes
SHA-256: 608b23f51c1224b5560ec9a5cf431a0c951ff519ba75b024a77398467b16c320
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
font_14_sfnt_off0005a282.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5A282 124172 bytes
SHA-256: f69250fcf00ec35b2ae64193834f8f30b000a9d6b49f5c7e2008105cbad31503
font_15_sfnt_off0006e039.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6E039 125816 bytes
SHA-256: 0d9a61d78e5fac410ca07304e888204f7fa5e7185b54c5e9818625d10411c3e8
font_16_sfnt_off0007fce5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7FCE5 80784 bytes
SHA-256: 828cd0032985b6cafdd34e9ec35b6b21c27721286ac945d48e8595f6e635b106
font_18_sfnt_off00095ed2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x95ED2 14552 bytes
SHA-256: 597cd7a41103c38a47222b2c3c8e623b78a5bec538768b0679003db0b8d1cfc3
font_19_type1_off000990c4.bin pdf-font-stream PDF embedded font (type1) at offset 0x990C4 2478 bytes
SHA-256: b98f7fa124536d2f0584b82f65ad1a32fe3462e59bdd50389a3e341b7ad41b6e