SUSPICIOUS
48
Risk Score
Machine Learning
- Nyx PDF Classifier clean score 0.0065
Heuristics 6
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/xhtml In PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn extracted file (stream_090_off0040dd2f.bin)
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn extracted file (stream_090_off0040dd2f.bin)
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In extracted file (stream_090_off0040dd2f.bin)
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn extracted file (stream_090_off0040dd2f.bin)
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In extracted file (stream_090_off0040dd2f.bin)
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn extracted file (stream_090_off0040dd2f.bin)
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In extracted file (stream_090_off0040dd2f.bin)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In extracted file (stream_090_off0040dd2f.bin)
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In extracted file (stream_090_off0040dd2f.bin)
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@In extracted file (stream_090_off0040dd2f.bin)
- http://www.microsoft.com/TypographyIn extracted file (stream_090_off0040dd2f.bin)
- http://www.apache.org/licenses/LICENSE-2.0In extracted file (font_01_sfnt_off003f54be.bin)
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn extracted file (font_03_sfnt_off00400ce4.bin)
- http://www.microsoft.com/pki/certs/CSPCA.crt0In extracted file (font_03_sfnt_off00400ce4.bin)
- http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn extracted file (font_03_sfnt_off00400ce4.bin)
- http://www.microsoft.com/pki/certs/tspca.crt0In extracted file (font_03_sfnt_off00400ce4.bin)
- http://www.microsoft.com/typographyIn extracted file (font_03_sfnt_off00400ce4.bin)
- https://www.verisign.com/rpaIn extracted file (font_04_sfnt_off004087c3.bin)
- http://ocsp.verisign.com/ocsp/status0In extracted file (font_04_sfnt_off004087c3.bin)
- https://www.verisign.com/rpa0In extracted file (font_04_sfnt_off004087c3.bin)
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In extracted file (font_04_sfnt_off004087c3.bin)
- https://www.verisign.com/repository/CPS��In extracted file (font_08_sfnt_off00422f9e.bin)
- https://www.verisign.comIn extracted file (font_08_sfnt_off00422f9e.bin)
- https://www.verisign.com/repository/verisignlogo.gif0��In extracted file (font_08_sfnt_off00422f9e.bin)
- https://www.verisign.com/CPS0bIn extracted file (font_08_sfnt_off00422f9e.bin)
- http://www.microsoft.com/truetype/0In extracted file (font_08_sfnt_off00422f9e.bin)
Extracted artifacts 16
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_090_off0040dd2f.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x40DD2F | 373784 bytes |
SHA-256: 3ece42f22b04b10e433f9df68ae8bc5c2549afc473295165fbd8f5dee156f314 |
|||
font_00_sfnt_off003f29fc.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3F29FC | 31716 bytes |
SHA-256: 6f9afea1c4c6c24fd07c0b899d28e14ddcf03b5916d1c7486f056176b3404f6b |
|||
font_01_sfnt_off003f54be.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3F54BE | 46568 bytes |
SHA-256: 16706c1f8c5c4cc9b57f835a12a75a45338849c0d314318226e736949ac50b66 |
|||
font_02_sfnt_off003faba4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3FABA4 | 52448 bytes |
SHA-256: faa22a0011df4d32870039f7acda5c6ca0b3f4ff2436800ebae886ee0500d002 |
|||
font_03_sfnt_off00400ce4.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x400CE4 | 98388 bytes |
SHA-256: a461917bc1d462b0cac6ee1cf40f93913142f3202d8de08a3a9048925a3bdb99 |
|||
font_04_sfnt_off004087c3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4087C3 | 27720 bytes |
SHA-256: 7627a9d48f75c612c8b7ebed659fff410fd3a7c350a670cb612fe5953e147563 |
|||
font_05_sfnt_off0040b2e7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x40B2E7 | 11240 bytes |
SHA-256: 8f20193014e70f8e2a5ba6d3142f9f20ed29a0fb0b12d62702e91c3851baacc7 |
|||
font_06_sfnt_off0040ce5b.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x40CE5B | 7100 bytes |
SHA-256: bea07e3d2b6588b50caf5848052006edc65157da1f353388fa9f78d234dc72f5 |
|||
font_08_sfnt_off00422f9e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x422F9E | 45288 bytes |
SHA-256: b23d3c478b2643dfc8f5c920830c64501ba9007e6195eb05d9d0efa8070cd449 |
|||
font_09_sfnt_off00426492.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x426492 | 93684 bytes |
SHA-256: 5aa77329545e4635a966fcd105dfa220396c855098ab4bcef5d695a5e0c43eaa |
|||
font_10_sfnt_off0042c311.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x42C311 | 48060 bytes |
SHA-256: a20f2b637e0302ed2abb1d2395aeb4f6d4d069117c3181e49fa5995ec6e3e357 |
|||
font_11_sfnt_off004a39e1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4A39E1 | 13192 bytes |
SHA-256: d80655aa9281f7779801d24e8cb55f29fdfff236695669d3117822b34b3ad93d |
|||
font_12_sfnt_off004aad2e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4AAD2E | 8512 bytes |
SHA-256: 67d2b1832a577674982c40d34e9a83d995b78bff87dd5304ec49c62b14e886f8 |
|||
font_13_sfnt_off004ae1cf.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4AE1CF | 10228 bytes |
SHA-256: a0df30f29c373acae9d7a139301475cce6fb994d237b393b424f89d64a2d75bf |
|||
font_14_sfnt_off004b0063.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4B0063 | 8916 bytes |
SHA-256: cb9c10eaf959549b8f9b5af18b7bfdab585dfdb00c0ba0e6168960173783ce0f |
|||
font_15_sfnt_off004b1da3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4B1DA3 | 10844 bytes |
SHA-256: 19e1188afc1c958e4b48112150fc3c9e3ebf0564472cdb16cb03a535ab3636ba |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.