PDF static analysis report

Static analysis result for SHA-256 83bca1162529e4a0…

SUSPICIOUS

PDF

4.74 MB Created: 2022-11-04 16:44:32 Authoring application: AutoCAD LT 2021 - English 2021 (24.0s (LMS Tech)) (via pdfplot16.hdi 16.00.047.00000) First seen: 2026-05-25
MD5: 5d43a7bd97cfdda5b499b0de4b8a93fb SHA-1: 4a1eb355d48a84031738e3d8117c29cec0a9e9f5 SHA-256: 83bca1162529e4a05f4eebaf3e95622b3cbf59383dfedd26ff92d14b54519830
48 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0065

Heuristics 6

  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/xhtml In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn extracted file (stream_090_off0040dd2f.bin)
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn extracted file (stream_090_off0040dd2f.bin)
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In extracted file (stream_090_off0040dd2f.bin)
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn extracted file (stream_090_off0040dd2f.bin)
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In extracted file (stream_090_off0040dd2f.bin)
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn extracted file (stream_090_off0040dd2f.bin)
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In extracted file (stream_090_off0040dd2f.bin)
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In extracted file (stream_090_off0040dd2f.bin)
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In extracted file (stream_090_off0040dd2f.bin)
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In extracted file (stream_090_off0040dd2f.bin)
    • http://www.microsoft.com/TypographyIn extracted file (stream_090_off0040dd2f.bin)
    • http://www.apache.org/licenses/LICENSE-2.0In extracted file (font_01_sfnt_off003f54be.bin)
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn extracted file (font_03_sfnt_off00400ce4.bin)
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In extracted file (font_03_sfnt_off00400ce4.bin)
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn extracted file (font_03_sfnt_off00400ce4.bin)
    • http://www.microsoft.com/pki/certs/tspca.crt0In extracted file (font_03_sfnt_off00400ce4.bin)
    • http://www.microsoft.com/typographyIn extracted file (font_03_sfnt_off00400ce4.bin)
    • https://www.verisign.com/rpaIn extracted file (font_04_sfnt_off004087c3.bin)
    • http://ocsp.verisign.com/ocsp/status0In extracted file (font_04_sfnt_off004087c3.bin)
    • https://www.verisign.com/rpa0In extracted file (font_04_sfnt_off004087c3.bin)
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In extracted file (font_04_sfnt_off004087c3.bin)
    • https://www.verisign.com/repository/CPS��In extracted file (font_08_sfnt_off00422f9e.bin)
    • https://www.verisign.comIn extracted file (font_08_sfnt_off00422f9e.bin)
    • https://www.verisign.com/repository/verisignlogo.gif0��In extracted file (font_08_sfnt_off00422f9e.bin)
    • https://www.verisign.com/CPS0bIn extracted file (font_08_sfnt_off00422f9e.bin)
    • http://www.microsoft.com/truetype/0In extracted file (font_08_sfnt_off00422f9e.bin)

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_090_off0040dd2f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x40DD2F 373784 bytes
SHA-256: 3ece42f22b04b10e433f9df68ae8bc5c2549afc473295165fbd8f5dee156f314
font_00_sfnt_off003f29fc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3F29FC 31716 bytes
SHA-256: 6f9afea1c4c6c24fd07c0b899d28e14ddcf03b5916d1c7486f056176b3404f6b
font_01_sfnt_off003f54be.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3F54BE 46568 bytes
SHA-256: 16706c1f8c5c4cc9b57f835a12a75a45338849c0d314318226e736949ac50b66
font_02_sfnt_off003faba4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3FABA4 52448 bytes
SHA-256: faa22a0011df4d32870039f7acda5c6ca0b3f4ff2436800ebae886ee0500d002
font_03_sfnt_off00400ce4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x400CE4 98388 bytes
SHA-256: a461917bc1d462b0cac6ee1cf40f93913142f3202d8de08a3a9048925a3bdb99
font_04_sfnt_off004087c3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4087C3 27720 bytes
SHA-256: 7627a9d48f75c612c8b7ebed659fff410fd3a7c350a670cb612fe5953e147563
font_05_sfnt_off0040b2e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x40B2E7 11240 bytes
SHA-256: 8f20193014e70f8e2a5ba6d3142f9f20ed29a0fb0b12d62702e91c3851baacc7
font_06_sfnt_off0040ce5b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x40CE5B 7100 bytes
SHA-256: bea07e3d2b6588b50caf5848052006edc65157da1f353388fa9f78d234dc72f5
font_08_sfnt_off00422f9e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x422F9E 45288 bytes
SHA-256: b23d3c478b2643dfc8f5c920830c64501ba9007e6195eb05d9d0efa8070cd449
font_09_sfnt_off00426492.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x426492 93684 bytes
SHA-256: 5aa77329545e4635a966fcd105dfa220396c855098ab4bcef5d695a5e0c43eaa
font_10_sfnt_off0042c311.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x42C311 48060 bytes
SHA-256: a20f2b637e0302ed2abb1d2395aeb4f6d4d069117c3181e49fa5995ec6e3e357
font_11_sfnt_off004a39e1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4A39E1 13192 bytes
SHA-256: d80655aa9281f7779801d24e8cb55f29fdfff236695669d3117822b34b3ad93d
font_12_sfnt_off004aad2e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4AAD2E 8512 bytes
SHA-256: 67d2b1832a577674982c40d34e9a83d995b78bff87dd5304ec49c62b14e886f8
font_13_sfnt_off004ae1cf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4AE1CF 10228 bytes
SHA-256: a0df30f29c373acae9d7a139301475cce6fb994d237b393b424f89d64a2d75bf
font_14_sfnt_off004b0063.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4B0063 8916 bytes
SHA-256: cb9c10eaf959549b8f9b5af18b7bfdab585dfdb00c0ba0e6168960173783ce0f
font_15_sfnt_off004b1da3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4B1DA3 10844 bytes
SHA-256: 19e1188afc1c958e4b48112150fc3c9e3ebf0564472cdb16cb03a535ab3636ba