SUSPICIOUS
30
Risk Score
Machine Learning
- Nyx PDF Classifier clean score 0.0001
Heuristics 3
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
External URI low PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ocsp.verisign.com0 PDF link annotation
- http://www.microsoft.com/truetype/fonts/wingdings/YouPDF link annotation
- http://crl.verisign.com/ThawteTimestampingCA.crl0PDF link annotation
- http://crl.verisign.com/tss-ca.crl0PDF link annotation
- http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0OPDF link annotation
- http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0PDF link annotation
- http://www.microsoft.com/typographyPDF link annotation
Extracted artifacts 16
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_034_off0004dcf5.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4DCF5 | 50864 bytes |
SHA-256: 9804e5e2c843480a1414ffd1b344a010eaa32850f51d0478043ab9243005c30f |
|||
stream_046_off00064b9a.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x64B9A | 66140 bytes |
SHA-256: 151d3fd984f6e4b17b964d5399033bd66fea11a0e0289849ed1d9c86bd23cef6 |
|||
font_00_sfnt_off00040ae9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x40AE9 | 24492 bytes |
SHA-256: d2d96347dadf6d9bd0bbdb404de1728834779a0ffbb602896ceeb0f6896123ab |
|||
font_01_sfnt_off00042fed.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x42FED | 54756 bytes |
SHA-256: e22217bfa77499d5722527e0fcda0ad8f4e8af6cead3cf2dfef9a0c7af62b79e |
|||
font_02_sfnt_off000477a5.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x477A5 | 42108 bytes |
SHA-256: b34682d7b198c93cf4b4dd8588b82403b440c19cfca837e85c367f9d9871a248 |
|||
font_03_sfnt_off0004ae15.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4AE15 | 38932 bytes |
SHA-256: d86d1b3d0902e41f78ff05094bf783471f24d18f2a8ffc62053589b4b9670b81 |
|||
font_05_sfnt_off000520bb.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x520BB | 28148 bytes |
SHA-256: 2428df7e6a90edacd13c8fa289741db4114ab71d9b49ef4366576a244d44c684 |
|||
font_06_sfnt_off0005548f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5548F | 24360 bytes |
SHA-256: ce3af6affdcf595e43bafa9efcf83ece3e4093c1b218eb2d533623d09bf0bc4b |
|||
font_07_sfnt_off00057317.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x57317 | 24524 bytes |
SHA-256: 2bb0ff79696499674ad8000607a5e3052e3fb101a2b18c59adf0d89f77488f93 |
|||
font_08_sfnt_off00059818.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x59818 | 48544 bytes |
SHA-256: c6ef32e0325bcbd34cc0f12b487be788341c440e6812a0040177ab9c624300ec |
|||
font_09_sfnt_off0005d804.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5D804 | 37608 bytes |
SHA-256: 4c85967edebc5b9594381ad0d550d26757d1980bba84410f932bfb4acb83e162 |
|||
font_10_sfnt_off0005ff91.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5FF91 | 36384 bytes |
SHA-256: 4b806bb4d49f76d9740560c4e9117e9a544ba01dd5b8c62131964b8f5572f253 |
|||
font_13_sfnt_off00069b02.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x69B02 | 51468 bytes |
SHA-256: fba8df98917db28fde9b2ba5a588695174bcb8349dc7f133b804223be2938226 |
|||
font_14_sfnt_off0006c98a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6C98A | 56568 bytes |
SHA-256: 1360bee13162824e5e67c82cf17360e651f0dcbd9c3cbd3ebd4563413ac131ea |
|||
font_15_sfnt_off000717f2.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x717F2 | 41408 bytes |
SHA-256: f5b4460199794e5af00ce79ed525fb09117866a53ec93d381b62d36da862e4ee |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04
|
|||
font_16_sfnt_off00074b5a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x74B5A | 59776 bytes |
SHA-256: 3ee2034b2acbea5c22898e7aed3a423adcc2855c779c82a227407a3571501330 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.