PDF static analysis report

Static analysis result for SHA-256 64d585f1efc5ae44…

SUSPICIOUS

PDF

51.0 KB Created: 2017-11-18 12:55:31 +01:00 Authoring application: wkhtmltopdf 0.12.3 (via Qt 4.8.7) First seen: 2026-05-04
MD5: f6e64aa85f69621310526c7c2eb16ee9 SHA-1: 828209954f45107fd59f76c6304a1133314f9629 SHA-256: 64d585f1efc5ae441eb84cbdea3933403de9b66d7eab4ed17f883bb072eba492
44 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains an embedded URL that points to a suspicious domain, likely intended to deceive the user into clicking it. The heuristic 'SE_LOLBIN_RUN_COMMAND' suggests the document text may contain command-like strings, further indicating a malicious intent to execute or prompt user interaction with system commands. No scripts were extracted, but the presence of the external URI and command-like text strongly suggests a phishing or credential harvesting attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0017

Heuristics 3

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://secure-restore-payments-frauds.com/signin-cmd-update-information-account-token-489213648641287hjkhd78261836146haksdg671423kjahdajshfa4156868714146585683423 PDF link annotation
    • http://www.monotype.comMonotypeIn PDF document text
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008595.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8595 13628 bytes
SHA-256: f99bbaa67ba92ca88866f81edd1a2da065d10f7ae5277c25b64c59b435226cac
font_01_sfnt_off0000ac7e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xAC7E 11264 bytes
SHA-256: 4d6d7a54fe3fc9c4eba086eb6660b7cf515d1eed2acecb414928f3534e5fba23