PDF static analysis report

Static analysis result for SHA-256 906b2154f6d5afee…

CLEAN

PDF

10.26 MB First seen: 2020-02-04
MD5: e19831a3eb05b595f87753e4a353ce3a SHA-1: fa1c3831045922586f4c80ebec9bd1aac092042b SHA-256: 906b2154f6d5afee7a90d7f1a9c51d4bf6606be7852df583d582deb2709b9485
24 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0548

Heuristics 3

  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.linotype.comhttp://www.linotype.com/fontdesignersNOTIFICATION In PDF document text
    • http://www.linotype.com/licenseHelveticaNeueLTIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/tiff/1.0/In PDF document text
    • http://ns.adobe.com/exif/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/exif/1.0/aux/In PDF document text
    • http://ns.adobe.com/camera-raw-settings/1.0/In PDF document text
    • http://ns.adobe.com/photoshop/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://ns.adobe.com/lightroom/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://www.npes.org/pdfx/ns/id/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://ns.adobe.com/illustrator/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 27

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off00004c33.icc pdf-icc-profile PDF ICC profile at offset 0x4C33 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_cff_off000056c3.bin pdf-font-stream PDF embedded font (cff) at offset 0x56C3 4474 bytes
SHA-256: ad384208fe5dc3fd9970f7cf0157b088dfc5d6d998a1a9e891ee25b25d71dbb0
font_01_cff_off00006711.bin pdf-font-stream PDF embedded font (cff) at offset 0x6711 4524 bytes
SHA-256: 010eaceeb87976535e475cb936db89a0ccf1f9e30a9d99691d7f550b226e3096
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_02_cff_off000077fb.bin pdf-font-stream PDF embedded font (cff) at offset 0x77FB 2591 bytes
SHA-256: 352764523665fa2f17b887e40f010b9c624469931ebf7a9d58ff3e8e94034a44
font_03_cff_off00028993.bin pdf-font-stream PDF embedded font (cff) at offset 0x28993 782 bytes
SHA-256: 7d25616632dd8ae6a157c42ab90f9a6ba8491141a85737aca43b5b17bb97280b
font_04_sfnt_off0087dbe9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x87DBE9 34576 bytes
SHA-256: 55c204f423496a1560877b3f09382a2fd6d8a52c3d09d1463d26d95faab98ee3
font_05_sfnt_off008818fd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8818FD 39257 bytes
SHA-256: 0be2e5485860f49936a02cd82ab53fb9d96ca348b64d1cb335719b9e02907422
font_06_sfnt_off00886288.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x886288 49457 bytes
SHA-256: 1e12726955d1ec00d19044d07063b9fba874751fcbdecfeb7d4949ae55ff0f14
font_07_sfnt_off0088bf01.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x88BF01 53272 bytes
SHA-256: 68b71e6b16616f2356abc68115e040e5e5d5539558ab1407a956fff8f8fa27a5
font_08_cff_off0095abda.bin pdf-font-stream PDF embedded font (cff) at offset 0x95ABDA 3046 bytes
SHA-256: 2c74a6d586be351513ce6caddcc2369c2d0a609fe9f83cfbb0dc66219a6cd2ad
font_09_cff_off009cb993.bin pdf-font-stream PDF embedded font (cff) at offset 0x9CB993 8550 bytes
SHA-256: cfb4972ad22c148bfe9d54c6d8fb9b01392cd4ccad5d17f61d096b4d495f09f1
font_10_cff_off009cd801.bin pdf-font-stream PDF embedded font (cff) at offset 0x9CD801 4195 bytes
SHA-256: 3da4ab8b69216c1679e9e2c9ac21cb26e712b9403f872cf8237af4c423bd4320
font_11_cff_off009cf55a.bin pdf-font-stream PDF embedded font (cff) at offset 0x9CF55A 2835 bytes
SHA-256: 935ea02a60b1fc4cbe4ce2f1b02a9aa65656913f12950d8db8adaa141bd6ff41
font_12_cff_off009d0523.bin pdf-font-stream PDF embedded font (cff) at offset 0x9D0523 4992 bytes
SHA-256: a3cc6c2fde02df9b6539db9014a671f36a3480f2d209e2a2850566661eba1bf1
font_13_cff_off009d18db.bin pdf-font-stream PDF embedded font (cff) at offset 0x9D18DB 5424 bytes
SHA-256: 5137d56672d6f76f5ab9bdd9a0383b1aac6a6295c01e06b0e2ac12f509a0589a
font_14_cff_off009d3d0e.bin pdf-font-stream PDF embedded font (cff) at offset 0x9D3D0E 514 bytes
SHA-256: 651b40b16214c8a6c775ef64470aab261f24a4de846e8c03e0ee690ff8d39319
font_15_cff_off009d4068.bin pdf-font-stream PDF embedded font (cff) at offset 0x9D4068 12599 bytes
SHA-256: ae544b55738f3fdbc9f6c16d3ced23920662f080c7ae2a37441a9e56709eca1a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.44, consistent with packed or encrypted content.
font_16_cff_off009d7299.bin pdf-font-stream PDF embedded font (cff) at offset 0x9D7299 10323 bytes
SHA-256: bf197dbf34e0194dafabbe4e0509105229587b3c03ae0a7b071cd6d022bebc1d
font_17_cff_off009d9683.bin pdf-font-stream PDF embedded font (cff) at offset 0x9D9683 6778 bytes
SHA-256: f4f59c9d841d177468d0ee7e2bdea799dde6f41065cdb8d191ba1812d0bafaa9
font_18_cff_off009daee0.bin pdf-font-stream PDF embedded font (cff) at offset 0x9DAEE0 13636 bytes
SHA-256: 44faf02b1b4d095071694d86da4962f66455f149a57eff42bb1d83d8be969d54
font_19_cff_off009df165.bin pdf-font-stream PDF embedded font (cff) at offset 0x9DF165 2467 bytes
SHA-256: 97adb2e113c07d216f5cefbaa9e7181dd92f28d05da4552ce538efdc7f0c2425
font_20_cff_off009e0462.bin pdf-font-stream PDF embedded font (cff) at offset 0x9E0462 3164 bytes
SHA-256: c74642ed645cf9a7b7d252881cf17d956f65cbf1c089ff253462689933dea1f6
font_21_cff_off009e3566.bin pdf-font-stream PDF embedded font (cff) at offset 0x9E3566 5432 bytes
SHA-256: 10766f889f61f841a4893f2b74a86ffcd7e0b76a0dcd2dfe39c8295569455a64
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.43, consistent with packed or encrypted content.
font_22_cff_off009e4f9f.bin pdf-font-stream PDF embedded font (cff) at offset 0x9E4F9F 3337 bytes
SHA-256: 36700f42cb2f4fbb8144c6d8fddf1c47c808623df04bf26406d9028d6873d998
font_23_cff_off009e6d30.bin pdf-font-stream PDF embedded font (cff) at offset 0x9E6D30 2498 bytes
SHA-256: 3b12c208e1e99c91c9cb3c78adc6399b6cbe10304c7965e0bfc4c6d81e601ef2
font_24_cff_off009e7e62.bin pdf-font-stream PDF embedded font (cff) at offset 0x9E7E62 4041 bytes
SHA-256: 4b323fff456b649be22d8f674e7cde569278e0394920132f54a632f7971a6c15
font_25_cff_off009f7f5d.bin pdf-font-stream PDF embedded font (cff) at offset 0x9F7F5D 518 bytes
SHA-256: adede00bfc082b458aa079cb7f659d7f4f8653005feac7be5b57d944e04c6309