PDF static analysis report

Static analysis result for SHA-256 975c6e7fc6366370…

CLEAN

PDF

86.6 KB Created: 2022-02-25 08:29:08 -05:00 Authoring application: Microsoft® Word para Microsoft 365 First seen: 2022-03-23
MD5: 136d2a0c5f1f2a8b8baf583d06de6e85 SHA-1: b394dbcff055aaf65c85df4c53bc7c460659c7aa SHA-256: 975c6e7fc63663708a3686d0ecc86b01fc9b131009aaf67979f6993d7c154f2b
22 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link

The PDF document contains a heuristic firing for a URL shortener, indicating an attempt to obfuscate a destination URL. The document body itself is heavily obfuscated, but the presence of the shortened URL https://bit.ly/3hefcI3 is a clear indicator of a potential phishing or malware delivery attempt. The URL is confirmed benign in this instance, but the pattern suggests a malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0013

Heuristics 2

  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.systemgroupglobal.com/2251-2357 In PDF document text
    • https://bit.ly/3hefcI3In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • http://www.microsoft.com/TypographyIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00004dd8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4DD8 141183 bytes
SHA-256: 16bcaada03b6f8731bbf7dca2a6688e1e5b85eb103aa5f8a035162ffa224ae5b
stream_005_off00008a8b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8A8B 67332 bytes
SHA-256: 87e9586229d6e1549fe14447862ebe123d40e07120d0e723534c9b9842132a16