PDF static analysis report

Static analysis result for SHA-256 874bc670ee3fee96…

SUSPICIOUS

PDF

548.9 KB Created: 2017-08-01 15:40:41 +07:00 Authoring application: Microsoft® Word 2013 First seen: 2020-09-24
MD5: 37ba499910813548851366d44e6689b0 SHA-1: f3a91cf1f610c005d6088ce80665399ef5073a4d SHA-256: 874bc670ee3fee961a42e1052f6206d132a6fe864345be963754fd5508af14f0
30 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 3

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI low PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 PDF link annotation
    • http://www.microsoft.com/truetype/fonts/wingdings/YouPDF link annotation
    • http://crl.verisign.com/ThawteTimestampingCA.crl0PDF link annotation
    • http://crl.verisign.com/tss-ca.crl0PDF link annotation
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OPDF link annotation
    • http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0PDF link annotation
    • http://www.microsoft.com/typographyPDF link annotation

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_034_off0004dcf5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4DCF5 50864 bytes
SHA-256: 9804e5e2c843480a1414ffd1b344a010eaa32850f51d0478043ab9243005c30f
stream_046_off00064b9a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x64B9A 66140 bytes
SHA-256: 151d3fd984f6e4b17b964d5399033bd66fea11a0e0289849ed1d9c86bd23cef6
font_00_sfnt_off00040ae9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x40AE9 24492 bytes
SHA-256: d2d96347dadf6d9bd0bbdb404de1728834779a0ffbb602896ceeb0f6896123ab
font_01_sfnt_off00042fed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x42FED 54756 bytes
SHA-256: e22217bfa77499d5722527e0fcda0ad8f4e8af6cead3cf2dfef9a0c7af62b79e
font_02_sfnt_off000477a5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x477A5 42108 bytes
SHA-256: b34682d7b198c93cf4b4dd8588b82403b440c19cfca837e85c367f9d9871a248
font_03_sfnt_off0004ae15.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4AE15 38932 bytes
SHA-256: d86d1b3d0902e41f78ff05094bf783471f24d18f2a8ffc62053589b4b9670b81
font_05_sfnt_off000520bb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x520BB 28148 bytes
SHA-256: 2428df7e6a90edacd13c8fa289741db4114ab71d9b49ef4366576a244d44c684
font_06_sfnt_off0005548f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5548F 24360 bytes
SHA-256: ce3af6affdcf595e43bafa9efcf83ece3e4093c1b218eb2d533623d09bf0bc4b
font_07_sfnt_off00057317.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x57317 24524 bytes
SHA-256: 2bb0ff79696499674ad8000607a5e3052e3fb101a2b18c59adf0d89f77488f93
font_08_sfnt_off00059818.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x59818 48544 bytes
SHA-256: c6ef32e0325bcbd34cc0f12b487be788341c440e6812a0040177ab9c624300ec
font_09_sfnt_off0005d804.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5D804 37608 bytes
SHA-256: 4c85967edebc5b9594381ad0d550d26757d1980bba84410f932bfb4acb83e162
font_10_sfnt_off0005ff91.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5FF91 36384 bytes
SHA-256: 4b806bb4d49f76d9740560c4e9117e9a544ba01dd5b8c62131964b8f5572f253
font_13_sfnt_off00069b02.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x69B02 51468 bytes
SHA-256: fba8df98917db28fde9b2ba5a588695174bcb8349dc7f133b804223be2938226
font_14_sfnt_off0006c98a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6C98A 56568 bytes
SHA-256: 1360bee13162824e5e67c82cf17360e651f0dcbd9c3cbd3ebd4563413ac131ea
font_15_sfnt_off000717f2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x717F2 41408 bytes
SHA-256: f5b4460199794e5af00ce79ed525fb09117866a53ec93d381b62d36da862e4ee
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04
font_16_sfnt_off00074b5a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x74B5A 59776 bytes
SHA-256: 3ee2034b2acbea5c22898e7aed3a423adcc2855c779c82a227407a3571501330