PDF static analysis report

Static analysis result for SHA-256 83cf7395b20f29c9…

SUSPICIOUS

PDF

502.0 KB Created: 2007-09-06 11:56:11 UTC Authoring application: FrameMaker 7.0 (via Acrobat Distiller 7.0 (Windows)) First seen: 2015-09-14
MD5: c81b567ea22b0b02a9bd1beaf32efbf8 SHA-1: b76902197361e461945f4ac805b93c7211de5534 SHA-256: 83cf7395b20f29c938558e46d083f209313e1b4d7e4dae24b92a831d2d3e53c5
44 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains embedded URLs, one of which is flagged as suspicious and points to a scientific publication. The document body also contains what appears to be a malformed URL that includes a command-line argument, potentially intended to exploit a vulnerability or redirect the user to a malicious site. The presence of these elements suggests an attempt to trick the user into navigating to a harmful resource.

Machine Learning

  • Nyx PDF Classifier clean score 0.0041

Heuristics 3

  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.biomedcentral.com/1471-2105/8/S6/S5 PDF link annotation
    • http://creativecommons.org/licenses/by/2.0In PDF document text
    • http://www.biomedcentral.com/PDF link annotation
    • http://www.biomedcentral.com/info/about/charter/In PDF document text
    • http://www.biomedcentral.com/1471-2105/8?issue=S6In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15262821In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15728114In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15845847In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=9843981In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=9843569In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16162296In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=10802651In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16420673In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=12826619In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=12934013In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15546939In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15262799In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=10902190In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15479708In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16646851In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16326758In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16686963In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=12540298In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15879452In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16646863In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15535868In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15575966In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15284096In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16723010In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15778709In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=12740579In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=11928473In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15290771In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=14534194In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15784747In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15262806In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=11108481In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16597233In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15284094In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15759651In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15308537In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=14534183In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=15353451In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=14962938In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=12169553In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=11473012In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=11928497In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16113770In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=16204109In PDF document text
    • http://www.ncbi.nlm.nih.gov/entrez/query.fcgi?cmd=Retrieve&db=PubMed&dopt=Abstract&list_uids=14630656In PDF document text
    +143 more URL(s)

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_019_off0000b350.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB350 28316 bytes
SHA-256: 6ebbc2efc5b3df6c7d70556d1e8588d6a5d479bf586db56518f5e26f437fd917
stream_056_off0005d79c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5D79C 38042 bytes
SHA-256: 488090e56b96ec18ed62bb7e59e465b763f9ac5eed0ad50a7a03f9589935fde8
icc_00_off0000a8ea.icc pdf-icc-profile PDF ICC profile at offset 0xA8EA 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_cff_off00002d19.bin pdf-font-stream PDF embedded font (cff) at offset 0x2D19 4384 bytes
SHA-256: fc9e2245f8423cb25f6a65a1c2e6235c0fe0c22021c6099f641335a0e63114e1
font_01_cff_off000044b8.bin pdf-font-stream PDF embedded font (cff) at offset 0x44B8 5422 bytes
SHA-256: 84113a54676a5d80c94e76486500a4b392eb6b0b88eab218b2fae2748333961b
font_02_cff_off00006bea.bin pdf-font-stream PDF embedded font (cff) at offset 0x6BEA 4664 bytes
SHA-256: 517ebaaa2c3ff34620c1aec188ea7635555e7578b1ad80172387cecaadcff6c9
font_03_cff_off00008aa1.bin pdf-font-stream PDF embedded font (cff) at offset 0x8AA1 3178 bytes
SHA-256: 25fc9052593abe1b96cb028b86d3e52b3e612472d5f1b68e965890513926d718
font_05_sfnt_off0000eecb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEECB 18828 bytes
SHA-256: 1c225bbadcb3145564f3a31749cc1aa1cab90b2855d9044294c52f5518ef07b9
font_06_sfnt_off00011a34.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11A34 15768 bytes
SHA-256: 6d46e65e052a5d08bb0ac2c98d922edd8afd92c29001eb950418655029754deb
font_07_cff_off000145cc.bin pdf-font-stream PDF embedded font (cff) at offset 0x145CC 6301 bytes
SHA-256: b2284589457d7f01d1afe09e7341e6eba5adb288fd5084422a3cd3c590131f8e
font_08_cff_off00015b23.bin pdf-font-stream PDF embedded font (cff) at offset 0x15B23 9441 bytes
SHA-256: 614d19d8be60c78983c76642f01971548556bf6d1bc7c53ddb5f8cc4a0227b86
font_09_cff_off00017941.bin pdf-font-stream PDF embedded font (cff) at offset 0x17941 1643 bytes
SHA-256: 5c044f8b46e28d912cbe3b1137d66f5232abfbb9598b705192b8d54d3390ff9e
font_10_cff_off0002990d.bin pdf-font-stream PDF embedded font (cff) at offset 0x2990D 241 bytes
SHA-256: 7ca2a0d3be0be926b7c1879d9ebf4583521a4f9790697525f276f332e922a7cf
font_11_cff_off00029b09.bin pdf-font-stream PDF embedded font (cff) at offset 0x29B09 813 bytes
SHA-256: ea00cb9d9fd550183d97d13c258fcc14dee31db9514b075a31df552ae4d3400f
font_12_cff_off00029f5c.bin pdf-font-stream PDF embedded font (cff) at offset 0x29F5C 998 bytes
SHA-256: f149f4d80d6e70026bd6499e8639ad87e45c49003823c632553322ec8cb56a04
font_13_cff_off0002a451.bin pdf-font-stream PDF embedded font (cff) at offset 0x2A451 554 bytes
SHA-256: 31742f44ce5a4956a29a90e4097b3196b27ce7376f892625b4c772826083e7b7
font_14_cff_off0003efb7.bin pdf-font-stream PDF embedded font (cff) at offset 0x3EFB7 798 bytes
SHA-256: 5e705588002fc6fbc5a20a65be4bc2197a71d02c508bfa095421665905a706f8
font_15_cff_off0003f54b.bin pdf-font-stream PDF embedded font (cff) at offset 0x3F54B 223 bytes
SHA-256: 45fb42728ad8ea7b2deacbfba4d774db8d7b9c13affac2dd8d11e9fa6f04d18a
font_16_cff_off0003f894.bin pdf-font-stream PDF embedded font (cff) at offset 0x3F894 391 bytes
SHA-256: 1cf8c1897b70d55ad17d410237cbbf654df31713580cbbc8a351049201da97b9
font_17_cff_off000447ff.bin pdf-font-stream PDF embedded font (cff) at offset 0x447FF 442 bytes
SHA-256: ead6864d5ef8d23d561346bde468215f4efd684b5d2e68f3d0c7590ad9a20597
font_18_cff_off00049b46.bin pdf-font-stream PDF embedded font (cff) at offset 0x49B46 443 bytes
SHA-256: 5b0b328b5922fcf43cd52f613c11080569e6c40fa2ab4bfe417e80a1892b9360
font_19_cff_off00049e27.bin pdf-font-stream PDF embedded font (cff) at offset 0x49E27 852 bytes
SHA-256: 4057c9d23baa58039d8d9c3dced84167b3e7333e7cfb60043a043ad0a0d3c7f4
font_20_cff_off0004a2d0.bin pdf-font-stream PDF embedded font (cff) at offset 0x4A2D0 3875 bytes
SHA-256: 17ac1281c6cdb4d73c260737771a70f3e0b0c48583ca68abb8d5545847c7eba8
font_21_cff_off0004b4e9.bin pdf-font-stream PDF embedded font (cff) at offset 0x4B4E9 611 bytes
SHA-256: f1313dba659d7d69f7642af05be37d09d7b8f33b153e710dd6555cbc0bacff81
font_22_cff_off0006192b.bin pdf-font-stream PDF embedded font (cff) at offset 0x6192B 2727 bytes
SHA-256: 80347fe8a2fa9b4e6f47f99e100507c7e8bc6a951e2acae34ec4e75e7602d063
font_23_cff_off000623fe.bin pdf-font-stream PDF embedded font (cff) at offset 0x623FE 2388 bytes
SHA-256: 6595a7d9f3725260fb05ce9e78ab34aeb7d585447af06345c4c8188bd06bd38e
font_24_cff_off00062d78.bin pdf-font-stream PDF embedded font (cff) at offset 0x62D78 798 bytes
SHA-256: 71b5d3f126daf1ea409851cc40d0dac21906f5863b2f5ffa82370e0857e89bfd
font_25_sfnt_off000633df.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x633DF 20596 bytes
SHA-256: 2b6c38224e09db98c1c4a02f5963f503b5fc7a15f6722ec24be4d1c874c35458
font_26_sfnt_off000659f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x659F6 12660 bytes
SHA-256: 011c7ca26bc931f7b3668ebe6102946d4d0377dca1fdb26985bf7a2b5746a2c0
font_27_sfnt_off00067a36.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x67A36 4620 bytes
SHA-256: 96713a43064bc4181d1e6532d00a1219c6a3a4f9b062c02d5d83e8d6a52db180
font_28_cff_off000683ad.bin pdf-font-stream PDF embedded font (cff) at offset 0x683AD 861 bytes
SHA-256: 77c520c50f4ae45da6913ec14611fbf265c6e7175a4ecc14adfa085e8f6b3e60
font_29_cff_off00068f9b.bin pdf-font-stream PDF embedded font (cff) at offset 0x68F9B 2154 bytes
SHA-256: b16d5a62b494f2397c868ab95b7d8a19169c2a18d55e2a1e1020ddf44f2ddf6c