PDF static analysis report

Static analysis result for SHA-256 87e00bebef380f05…

SUSPICIOUS

PDF

331.7 KB Created: 2020-04-10 19:38:39 +02:00 Authoring application: Microsoft® Word 2016 First seen: 2020-09-24
MD5: 2a2542818216957fe0e472ae252e632c SHA-1: ee7557b8f095b6f733b1e038345ccb1ccd0012a6 SHA-256: 87e00bebef380f05f07840cb38fb654af273f513801f629e0098e4914b6f583f
26 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains heuristics indicating it is a callback phishing lure, prompting the user to call a phone number for a fabricated issue. While no scripts were extracted, the presence of embedded URLs suggests potential for further malicious activity. The document's structure and embedded objects are consistent with malicious PDF documents.

Machine Learning

  • Nyx PDF Classifier clean score 0.0399

Heuristics 4

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.imf.org/external/np/g20/pdf/2019/060519b.pdf PDF link annotation
    • https://ec.europa.eu/competition/state_aid/what_is_new/sa_covid19_temporary-framework.pdfIn PDF document text
    • http://dx.doi.org/10.1111/1468-0327.12034In PDF document text
    • https://dx.doi.org/10.1787/c82911ab-enIn PDF document text
    • https://dx.doi.org/10.1787/8fe4491d-enIn PDF document text
    • https://www.oecd.org/corporate/ca/Ownership-and-Governance-of-State-Owned-Enterprises-A-Compendium-of-National-Practices.pdfIn PDF document text
    • http://www.oecd.org/termsandconditionsIn PDF document text
    • https://www.oecd.org/corporate/ca/Ownership-and-Governance-of-State-Owned-Enterprises-A-In PDF document text
    • http://www.kfw.de/PDF/Download-Center/F��rderprogramme-In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • http://www.microsoft.com/TypographyIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text
    • http://www.monotype.com/html/mtname/ms_symbol.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlMicrosoftIn PDF document text
    • http://www.monotype.com/html/type/license.htmlIn PDF document text
    • http://www.microsoft.com/Typography/0In PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00018d38.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18D38 401652 bytes
SHA-256: 595263ad44f6f26f0da80dda3ea4f2a7c2fc5b16e679246fd5a3f5dcaa7ebee8
font_00_sfnt_off000126a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x126A2 95948 bytes
SHA-256: 2300d2e981ddfbe46310318308901c523511b5ebc9c6cf846b7470985d491725
font_02_sfnt_off00032ec4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32EC4 366204 bytes
SHA-256: bf9f282aa5a5521f8602fd2fa5db1e326d6a426dffb533f5c124cbb9d05c385d
font_03_sfnt_off00048a08.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x48A08 25176 bytes
SHA-256: e6e13cea8691623151968fb68e710283c7dbfdeb8fd6c78bd223fa03f1a53b35
font_04_sfnt_off0004bf81.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4BF81 83856 bytes
SHA-256: 44b3ef280743406f07a87aff232c3585c603a94bceaa199da9a8b04f56facdfa