PDF static analysis report

Static analysis result for SHA-256 723dcd51a1d65338…

CLEAN

PDF

2.41 MB Created: ñ¸›ÈÖõ[{Ò5Óª$l~#éàÚ&Å Authoring application: K܊æù‡Å I‘9jàï0SuÚ³ê¸âxç°>.LÃ4N 4› First seen: 2021-08-20
MD5: 099b293a185b89021a2fdbd27c0eee91 SHA-1: 01555c8f2900e7729f0843d5a15cd186230cf3ba SHA-256: 723dcd51a1d65338672ad0f7783fd325a99e10fe05923e102760d6bd9e8d2ef2
4 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF is encrypted and contains embedded JavaScript, a common technique to obfuscate malicious payloads. The presence of an 'IMAGE_ONLY_LURE' heuristic suggests the document may be designed to trick users into interacting with it, potentially to trigger the hidden script. The embedded URLs, while mostly benign or unknown, indicate potential communication channels for the malware. The primary attack pattern involves exploiting the PDF format to deliver an unknown secondary payload via JavaScript.

Machine Learning

  • Nyx PDF Classifier clean score 0.0041

Heuristics 2

  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blogespiritaavozdaverdade.com.br In PDF document text
    • http://www.verdadeluz.com.br/lista-de-centros-espiritas-pelo-brasil/In PDF document text
    • http://www.neapa.org.br/centros_espiritasIn PDF document text
    • http://www.oconsolador.com.br/ano7/347/oespiritismoemoutrospaises.htmlIn PDF document text
    • http://cei-spiritistcouncil.com/paises-membros/?lang=pt-In PDF document text
    • http://centroespiritajoanadarc.com/In PDF document text
    • http://www.acaminhodaluzituiutaba.com.br/index.php?option=com_contact&view=contact&iIn PDF document text
    • http://www.pontalespirita.com.br/index/index.php/fale-In PDF document text
    • http://www.feak.org/In PDF document text
    • http://www.jesusnazare.com.br/contato/In PDF document text
    • http://ide-jf.org.br/In PDF document text
    • http://www.cepainfo.org/index.php?option=com_contact&view=contact&id=1:contacto&IteIn PDF document text
    • http://www.espiritualidades.com.br/contato.htmIn PDF document text
    • http://www.cejn.org.br/news/casas-espiritas-santa-In PDF document text
    • http://www.espiritismoemdebate.com.br/paginas_do_site/enderecos/amapa.htmlIn PDF document text
    • https://www.fergs.org.br/fale-conoscoIn PDF document text
    • http://www.fero.org.br/fale-conoscoIn PDF document text
    • http://www.correiofraterno.com.br/index.php?option=com_content&task=view&id=179In PDF document text
    • http://180graus.com/espiritaIn PDF document text
    • http://www.ameees.org.br/In PDF document text
    • http://cei-spiritistcouncil.com/paises-In PDF document text
    • http://espiritismoquito.blogspotIn PDF document text
    • http://www.ceanet.com.ar/centros-espiritas/In PDF document text
    • http://www.espiritismoenmexico.org/index.php/contacto#cid_115In PDF document text
    • http://masdemx.com/In PDF document text
    • http://bruxelles.cesak.orgIn PDF document text
    • http://www.torontospiritistsociety.org/In PDF document text
    • http://www.febtv.com.br/contact_us.phpIn PDF document text
    • http://radioetvamorfraterno.com/In PDF document text
    • http://www.tvalvoradaespirita.com.br/contato.phpIn PDF document text
    • https://tvnovaluz.com/In PDF document text
    • http://www.tvaberta.tv.br/contatoIn PDF document text
    • http://www.visaoespirita.tv/fale_conoscoIn PDF document text
    • http://tvmundialdeespiritismo.com/contato.jsfIn PDF document text
    • http://soudubem.com/radiodubem/In PDF document text
    • https://www.radioriodejaneiro.am.br/In PDF document text
    • http://www.avozdoespiritismo.com.br/In PDF document text
    • http://radioboanova.com.br/In PDF document text
    • http://jornalcienciaespirita.spiritualist.one/In PDF document text
    • http://www.correioespirita.org.br/entre-em-contato-conoscoIn PDF document text
    • http://jornalespacoespirita.com.br/index.php/contato/In PDF document text
    • http://www.revistaautadesouza.com/index.php/contatoIn PDF document text
    • http://www.lardefreiluiz.org.br/contato/In PDF document text
    • http://www.mundoespirita.com.br/In PDF document text
    • https://www.portalser.org/contato/In PDF document text
    • http://www.espiritismoeluz.org.br/In PDF document text
    • https://espirito.org.br/contato/In PDF document text
    • http://www.nucleoespiritanovaera.com.brIn PDF document text
    • http://cebemcatanduva.com.brIn PDF document text
    • http://www.abrigobezmenezes.org.br/In PDF document text
    +81 more URL(s)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off001eb50c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1EB50C 174408 bytes
SHA-256: 31f454cd10c3c8194174a6149a3eaf026e54edf9bc3486205c5b11839a16a8e9
font_01_sfnt_off001ffbb4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FFBB4 229736 bytes
SHA-256: 93b453deee9468978c0992472055ae44f8b2089261b1fe8f0d07b5916ecc5733
font_02_sfnt_off00212fdb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x212FDB 28148 bytes
SHA-256: 2428df7e6a90edacd13c8fa289741db4114ab71d9b49ef4366576a244d44c684
font_03_sfnt_off00216367.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x216367 210432 bytes
SHA-256: 5f8f3ba5ea67b16d43c0e1976f13f2f90a940ef485c80406f2ac13f9d832aa8d