PDF static analysis report

Static analysis result for SHA-256 517aac80e3c7eddd…

CLEAN

PDF

1.50 MB Created: Ž˜ñ}‹ŠÝ4Ǎ¨BÊà…£× Authoring application: ‹ÆU£)›óqJv›ÙöQ¾iñЦÀ(êÖ (via ‹ÆU£)›ê«sI›ÜêC錣) First seen: 2012-10-11
MD5: 0604477e4b2f64286ae5a67de333643b SHA-1: 4058aced488dde40bd91717c011aa2b0d2f30b6c SHA-256: 517aac80e3c7edddb0943b56f1e3d1c61a5b299b05dba36e94feca0f2cb443c7
16 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The PDF file is encrypted and contains no readable text, but heuristics indicate it is an image-only lure with invisible links. One embedded URL, http://anzeigen.automatisieren.org, was extracted. The presence of invisible links and an external URL suggests an attempt to redirect the user to a malicious site, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier clean score 0.0408

Heuristics 5

  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://anzeigen.automatisieren.org In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://ns.adobe.com/photoshop/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://www.npes.org/pdfx/ns/id/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://ns.adobe.com/illustrator/1.0/In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 31

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_042_off00068447.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x68447 14385 bytes
SHA-256: 347fa4975374e30d085bb497e468c7dbd3cb041240f38b2a9ef5bb04fe0969ad
Detection
ClamAV: No threats found
Obfuscation or payload: likely
255 of 401 identifiers look randomly generated (e.g. 'lQQR4g4aCLYx55WE21kJSVjM9HK9QOO9OuGN70lj') — consistent with name-mangling obfuscation.
stream_059_off0007ee00.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7EE00 26163 bytes
SHA-256: a575a65db9d3134e3c2862579ac5c91bd127bb1b46b397e1e7799789258e4502
Detection
ClamAV: No threats found
Obfuscation or payload: likely
347 of 528 identifiers look randomly generated (e.g. 'BUXD1CC4Mkbi0EAmPDVJTEX0OudjtsYbmDc6sOG4'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_068_off000df681.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDF681 29426 bytes
SHA-256: 7f22c065a4e9571021f055896c5ec5af322d9aa40184f63610bb430545a20f64
Detection
ClamAV: No threats found
Obfuscation or payload: likely
571 of 772 identifiers look randomly generated (e.g. 'xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxVjGt63f22'); 7 string-concatenation chain(s) — consistent with name-mangling obfuscation.
stream_070_off000ea8c4.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEA8C4 8928 bytes
SHA-256: a52939c26bc40060f4052671a033d5c74a69c12ab3fbf9064d5c38e602043a67
stream_075_off000f8b1f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF8B1F 182616 bytes
SHA-256: 51759321d91aeec8ce5801e3386e5325b7699f298fea9933f420a1eee76aefe5
stream_076_off001034a0.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1034A0 178022 bytes
SHA-256: bbb3c4ec88ab5cb4c8262819064f8a7734d51e8508701eff14a230afdce3f7b7
stream_141_off0012ce4b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12CE4B 16499 bytes
SHA-256: 853cc2a1da64462e463d2bcac0abbcbbf1d5bc86302365e338f3b619b0895180
Detection
ClamAV: No threats found
Obfuscation or payload: likely
322 of 484 identifiers look randomly generated (e.g. 'DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8f'); 3 string-concatenation chain(s) — consistent with name-mangling obfuscation.
icc_00_off0011d9f6.icc pdf-icc-profile PDF ICC profile at offset 0x11D9F6 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_cff_off00133798.bin pdf-font-stream PDF embedded font (cff) at offset 0x133798 4612 bytes
SHA-256: c135bd10aa763f1735fd865330705f3a2c152f2f1eb2fddfb0f8a9645a11e851
font_01_cff_off001347e7.bin pdf-font-stream PDF embedded font (cff) at offset 0x1347E7 7224 bytes
SHA-256: cd04c7f31a5ee861ee0f0381221d4a6ab1d373e83f490aa2663814869c851395
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_02_cff_off0013612d.bin pdf-font-stream PDF embedded font (cff) at offset 0x13612D 6076 bytes
SHA-256: 5c14c402798c4de2449e030a5b3b1a323b209bfb47174b36cba058147b780739
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_03_cff_off0013765b.bin pdf-font-stream PDF embedded font (cff) at offset 0x13765B 6313 bytes
SHA-256: 9166ca938dbd04cbc4cd8eb71d1f80c87f507029599f65f2a89c1328c24a881f
font_04_cff_off00138c10.bin pdf-font-stream PDF embedded font (cff) at offset 0x138C10 9926 bytes
SHA-256: 2d4494be06b9330e583fb33f5881f2af54413511cf7dd6a3f5f150007a3a8df5
font_05_cff_off0013ff96.bin pdf-font-stream PDF embedded font (cff) at offset 0x13FF96 6037 bytes
SHA-256: 5d99600207c9d06e1734b78c9a0cd90530f0793353bf2f22bb368f49ad4e00ff
font_06_cff_off0014287b.bin pdf-font-stream PDF embedded font (cff) at offset 0x14287B 3129 bytes
SHA-256: cac52d7523a2d6f467d8c43444d817ecf9b84b5df1f7540d19868e3d3f122cd3
font_07_cff_off0014375c.bin pdf-font-stream PDF embedded font (cff) at offset 0x14375C 2641 bytes
SHA-256: 288f4c8303dfd5dc85ccf2ba77ae9eb2e74b37e7978626a8072af0862c3b15f0
font_08_cff_off0014409c.bin pdf-font-stream PDF embedded font (cff) at offset 0x14409C 1007 bytes
SHA-256: 97c912aa24ae80bea8faccf54059567914b7494b8b6eb1b0a313193928c4f960
font_09_cff_off001444c5.bin pdf-font-stream PDF embedded font (cff) at offset 0x1444C5 2082 bytes
SHA-256: ba460df4b623dad1bd10e0a274bc159b00f3b07e2882b6fa7d4d5fd1b14a94b5
font_10_cff_off001452c2.bin pdf-font-stream PDF embedded font (cff) at offset 0x1452C2 1891 bytes
SHA-256: c40f3f6968698bb045deab4d02f6c9690910dae1d13f8d9ac8e59347406130eb
font_11_cff_off001490bf.bin pdf-font-stream PDF embedded font (cff) at offset 0x1490BF 1847 bytes
SHA-256: a5701a518523d74bd2b349d076fdbccfff250bd5adcc4ddaf76f53c86fd4e5f8
font_12_cff_off001497da.bin pdf-font-stream PDF embedded font (cff) at offset 0x1497DA 4405 bytes
SHA-256: 950585a120d98586e4121549b935f5c011c0a5db389d1d772654a9bd3e78b948
font_13_cff_off0014a7b5.bin pdf-font-stream PDF embedded font (cff) at offset 0x14A7B5 4988 bytes
SHA-256: d0bd9ee476137f3217acb0845eb46ed686e82abea1df048015d4f08a0af799c8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.46, consistent with packed or encrypted content.
font_14_cff_off0014bbc8.bin pdf-font-stream PDF embedded font (cff) at offset 0x14BBC8 4548 bytes
SHA-256: 2aad6546f406d93c1e270322c9ab0bb706188d3379f93ee1ce30cabfe1cc111b
font_15_cff_off0014cbad.bin pdf-font-stream PDF embedded font (cff) at offset 0x14CBAD 2952 bytes
SHA-256: ab7976cd4ab59548b677ca7ba3bc72a149a994ad903d7959ca8f443434c09e5f
font_16_cff_off00154a6a.bin pdf-font-stream PDF embedded font (cff) at offset 0x154A6A 323 bytes
SHA-256: 1962d86d95ef3e119c5505cd65c00640c591b23f87b8af0f117b4f9110490359
font_17_cff_off00154d04.bin pdf-font-stream PDF embedded font (cff) at offset 0x154D04 3507 bytes
SHA-256: 7ba1732d8bd19efe3e134b45d44b951e59097ee9c0c6e10dc7faca60b53514ea
font_18_cff_off0015572e.bin pdf-font-stream PDF embedded font (cff) at offset 0x15572E 2110 bytes
SHA-256: af13cca967769ecb2fee094d413269cb42e32453d3114aad51f1e06a4ce38157
font_19_cff_off00155d45.bin pdf-font-stream PDF embedded font (cff) at offset 0x155D45 4453 bytes
SHA-256: 0ef27d392b298eea5e47629f9db7d24428f9eb44311df00c43c3da2731339a7f
font_20_cff_off00156ad5.bin pdf-font-stream PDF embedded font (cff) at offset 0x156AD5 2078 bytes
SHA-256: f23ddce6407dadf40c4054794ec3becd4debf035c1c22a8956d6b54d08dc5b6c
font_21_cff_off0015724d.bin pdf-font-stream PDF embedded font (cff) at offset 0x15724D 703 bytes
SHA-256: 83a723b51629372ccfe9acc5ba1c7afc2759fa06b92ee18cfc2f8a6a5ccce926
font_22_cff_off0015756c.bin pdf-font-stream PDF embedded font (cff) at offset 0x15756C 2717 bytes
SHA-256: 6ce6a4854924bba1cbef2f4fef7d42df4d6d72eb1f755eaf5511da224633c9ef