PDF static analysis report

Static analysis result for SHA-256 7ef668658f232902…

CLEAN

PDF

84.1 KB Created: 2018-10-16 11:27:46 -06:00 Authoring application: Microsoft® Word for Office 365 First seen: 2019-05-16
MD5: a997d44de263e33c5954fcf74c71be1c SHA-1: 3b14ccb1036dd2610198aef145d8d3d8faceec62 SHA-256: 7ef668658f232902a7d02e9ab716d7ae5b5e6d4afbd9a9c9ae5e0fd40bfc95df
24 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains embedded URLs, with one pointing to 'aleqarz.net/admin/d/valid/secure/index.php', which is flagged as suspicious. Another heuristic indicates an external URI to the same domain. The document body, though partially obscured, contains references to these URLs and appears to be designed to trick the user into clicking them. No scripts were extracted, limiting further analysis of the payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 3

  • Document signing service impersonation lure medium SE_DOCUSIGN_LURE
    Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://aleqarz.net/admin/d/valid/secure/index.php PDF link annotation
    • https://turbine.cf/secure/p/valid/secure/index.phpIn PDF document text
    • https://www.google.com/In PDF document text
    • https://ci4.googleusercontent.com/proxy/YrbDhpnGLeLblOOAneMjgFO6hajZWchA4yjGSKAJQBz8D3LVnopub61qQH1HefrXOnbgq-tDl9I5o_5o-Qwvhfa2z_VS8W4kXGBAY92HUNXsDlXyzHUTSA=s0-d-e1-ft#https://www.docusign.net/member/Images/email/docComplete-white.pngIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • http://www.microsoft.com/TypographyIn PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoftIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004f01.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4F01 91176 bytes
SHA-256: 8cf3136b6f3cb4b1d35462ebc3746aa837241973ef56595d51a6e2b89c5c3838
font_01_sfnt_off0000eb82.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEB82 80784 bytes
SHA-256: 828cd0032985b6cafdd34e9ec35b6b21c27721286ac945d48e8595f6e635b106