PDF static analysis report

Static analysis result for SHA-256 862b0eba0770bd2d…

CLEAN

PDF

68.8 KB Created: 2017-01-06 13:07:08 +08:00 First seen: 2018-10-07
MD5: c96f4d881f70b33df176ef228d8395b5 SHA-1: dabb09941b2defcae9ea23d79bf3f1a217337961 SHA-256: 862b0eba0770bd2db8f96f6c286448f175c3b0baaac265a4d1289a8250b53ec7
22 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0416

Heuristics 2

  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://79.172.211.32/mail/kJQnlf_xPbPYarQcadrimnQoltd16357917Gl.pdf PDF link annotation
    • http://79.172.211.32/mail/YebsGYnhcriwaGYrrJoa16357593iPPc.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/iovnYoJrzdlkJGGYaw16359051e_s.pdfIn PDF document text
    • http://www.masterdea.it/mobile/Piinforevd_nPGimQskmwsYeri15311292l.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/bJ_Pvdnbiee_fwPJGmwhs16203832mv.pdfIn PDF document text
    • http://blog.creative-dots.com/mobile/khkvPsluntvxlztxvs16225582se.pdfIn PDF document text
    • http://www.masterdea.it/mobile/utdtclekoPGYlvQethdumQ_msabYth15206010xxk.pdfIn PDF document text
    • http://www.iowataxidermyassociation.com/osi/index.php/sdttc_YznluexJrYJYwvYwsvtn5988866ixu.pdfIn PDF document text
    • http://79.172.211.32/mail/rGdQGvcfosPoe16357664lrnG.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/tQnhb__fssm16349435uxm_.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/aonPmircos_Q_hbzJlshxun_xf16366814v.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/eGzlrzwlwxerforxzuPor16349573v.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/ezdcrvctctveQmihrt_YQ16355068nf.pdfIn PDF document text
    • http://79.172.211.32/mail/sdamvbf_fa_rvGzosuilbk16357430kz.pdfIn PDF document text
    • http://79.172.211.32/mail/zikeJJxrhrbxinuwQottdkPvhcG16357445fom.pdfIn PDF document text
    • http://79.172.211.32/mail/elGcltnlhc_JulGhQcbYiobztrrr16357565kh.pdfIn PDF document text
    • http://79.172.211.32/mail/mvhdzovomsYQJdb16357598i.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/msofwwvhzcxQsmuasGwJ_oxrdJ16349787am.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/kstxYkewwwzbkvbYoxar16349413xdlP.pdfIn PDF document text
    • http://79.172.211.32/mail/wmhcmGaxr16357610kY.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/nwoQmzYzxvnsnn16349194iGwz.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/rPr16349994QYcQ.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/P_trhlGzihkrxudkaw16355115dm.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/Ycdinmbzbvxoc16366928r_mi.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/inP_t16366921hJv.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/kdshPsidYubhtdrlueckroYef16366994P.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/odcrwQdPiwaJwkPxGY16359111b.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/rrPmsGeshtfnuJfYPGocr16359052zedb.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/xJQ16358811e.pdfIn PDF document text
    • http://www.laureati.cz/perhapsorganize/xxnh16358389tQh.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/YxQcxtznkdxsQhrfJhif16354275aGQ.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/bdGdwihJPPYxnufJ16363963xGnu.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/fuGlnckeifdnuk_tiuJxceolh16354469nt.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/hrhPcwefs_mb16354759Pe.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/krJYsYtsrmJnrvzbcs16354949P.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/kzs_f_dhaefzQ16354796ta.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/lwzorznzfmeQ16354201Yoaa.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/sldPsntJdftu16354561csYe.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/sokbfsrJxklfJxQduzcfoQdYheGhlu16354613hk.pdfIn PDF document text
    • http://www.alistatrans.ru/bbs/vzQnbbxtixdmaQPxhsbhodwP16354866Qz.pdfIn PDF document text
    • http://79.172.211.32/mail/Gflnfefldrt_vh_flrw_Qrfin16358168kJzc.pdfIn PDF document text
    • http://thestoveinstallationcompany.co.uk/historydepartment/Gmb_JbQwbklukhhxdJteaGfkJ16349704JwaP.pdfIn PDF document text
    • http://79.172.211.32/mail/Guivmc_it16357492k.pdfIn PDF document text
    • http://dubaipropertyrentals.net/idealow/causemusic.php/site_map.xmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00006eec.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6EEC 19856 bytes
SHA-256: a930245e90be17a336a7679d31e9d416ddec66c65020bec75b59b2e2bfc19120
font_01_sfnt_off0000a47e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA47E 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off0000da37.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDA37 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1