PDF static analysis report

Static analysis result for SHA-256 59653a3521897ace…

SUSPICIOUS

PDF

1.68 MB Created: 2016-11-25 15:52:20 -08:00 Authoring application: Microsoft® Word 2010 First seen: 2021-08-20
MD5: bd6a770f58853887491cf1ae5e3a695f SHA-1: 8aca8f39dd0b13c1c58c901d9ae09b78357a8f07 SHA-256: 59653a3521897ace2dd9d5b14a678cf6147b727faa180d11f1115f94b06d7511
44 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 4

  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.vtpi.org/ PDF link annotation
    • http://www.brtdata.org/In PDF document text
    • http://www.tams.act.gov.au/In PDF document text
    • http://www.tams.act.gov.au/__data/assets/pdf_file/0005/397517/Transit_Lane_Study.pdfIn PDF document text
    • http://transportblog.co.nz/In PDF document text
    • http://transportblog.co.nz/2011/08/21/expanding-aucklands-bus-lane-network-the-next-stepsIn PDF document text
    • http://www.nzta.govt.nz/In PDF document text
    • http://www.crridom.gov.in/In PDF document text
    • http://www.wctrs-society.com/wp/wp-content/uploads/abstracts/rio/selected/2491.pdfIn PDF document text
    • http://www.tcrponline.org/In PDF document text
    • http://www.tcrponline.org/PDFDocuments/tsyn83.pdfIn PDF document text
    • http://www.embarq.org/In PDF document text
    • http://www.embarq.org/sites/default/files/Traffic-Safety-Bus-Priority-Corridors-BRT-EMBARQ-World-Resources-Institute.pdfIn PDF document text
    • http://www.embarq.org/publication/bus-karo-guidebook-planning-operationsIn PDF document text
    • http://www.metroplanning.org/In PDF document text
    • http://www.metroplanning.org/news/blog-post/7242In PDF document text
    • http://www.ugpti.org/trb/truckandbus/meetings/2014/downloads/2014bus_priority.pdfIn PDF document text
    • http://nzta.govt.nz/In PDF document text
    • http://nzta.govt.nz/resources/research/reports/506/docs/506.pdfIn PDF document text
    • http://thecityfix.com/In PDF document text
    • http://thecityfix.com/blog/learning-from-delhis-brt-failure-looking-citys-future-dario-hidalgo/In PDF document text
    • http://www.itdp.org/In PDF document text
    • http://www.itdp.org/documents/BRT_Standard_12312.pdfIn PDF document text
    • http://www.itdp.org/library/standards-and-guides/the-bus-rapid-transit-standard/what-is-brt/In PDF document text
    • http://www.sutp.org/index.php?option=com_content&task=view&id=2827&Itemid=1&lang=enIn PDF document text
    • http://www.sutp.org/dn.php?file=TD-RAD-EN.pdfIn PDF document text
    • http://transportationist.org/In PDF document text
    • http://transportationist.org/2015/07/16/thoughts-on-transit-and-urban-form/In PDF document text
    • http://davidlevinson.org/the-end-of-traffic-and-the-future-of-transportIn PDF document text
    • http://www.vtpi.org/distortions_BPJ.pdfIn PDF document text
    • http://www.ite.org/In PDF document text
    • http://digitaleditions.sheridan.com/publication/?i=161624In PDF document text
    • http://www.vtpi.org/ITED_congestion.pdfIn PDF document text
    • http://www.vtpi.org/tranben.pdfIn PDF document text
    • http://cept.ac.in/178/center-for-urban-equity-cue-In PDF document text
    • http://nacto.org/In PDF document text
    • http://nacto.org/transit-street-design-guideIn PDF document text
    • http://www.smartgrowthamerica.org/In PDF document text
    • http://www.smartgrowthamerica.org/complete-streets/complete-streets-fundamentals/complete-streets-faqIn PDF document text
    • http://www.vtpi.org/tdmIn PDF document text
    • http://islandpress.org/human-transitIn PDF document text
    • http://www.humantransit.org/In PDF document text
    • http://www.humantransit.org/houstonIn PDF document text
    • http://transportblog.co.nzIn PDF document text
    • http://nzta.govt.nzIn PDF document text
    • http://thecityfix.comIn PDF document text
    • http://thecityfix.com/blog/learning-from-delhis-brt-failure-looking-citys-future-In PDF document text
    • http://transportationist.orgIn PDF document text
    • http://transportationist.org/2015/07/16/thoughts-on-transit-and-urban-formIn PDF document text
    • http://nacto.orgIn PDF document text
    +73 more URL(s)

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off000880c3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x880C3 991440 bytes
SHA-256: 1daf5d7a68c07d630e592c30c19ae1fb2e25c921cc99e718a2ac66a5e90f54ac
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x06
stream_014_off000a3a38.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA3A38 950484 bytes
SHA-256: 1fd5fe2df3a35511374c8aadb28d599f3fa2462e119a99c6aa420700935d1eaf
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04
stream_032_off000e1aa6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE1AA6 427384 bytes
SHA-256: 3fca1f28f325aab7017e40b4ce60eb43ecf652598b674e7b2d3afb98b068fca0
stream_033_off00111ad1.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x111AD1 390720 bytes
SHA-256: f409da7673bb7a3f86d4b651ee5ef5b669de9960e73dac47996460cb8e7a5bb7
stream_035_off0013c5e4.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13C5E4 293668 bytes
SHA-256: 66d07767ebeddb3d576b768c60d340ffc92cec6d841685f94503423c815dcc41