PDF static analysis report

Static analysis result for SHA-256 9a40f4166e0704c6…

SUSPICIOUS

PDF

70.3 KB Created: 2020-11-26 06:41:59 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-02
MD5: d7cb94f025248a8469ab8900a3e6cdd8 SHA-1: 904e109447d641ce20071696ecfdcb099dab133f SHA-256: 9a40f4166e0704c683797f0b0e9263da7c876a3f77f7ba886cf9b35d211bfa3c
36 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as suspicious by an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/strik?utm_term=king+of+the+jungle+baby+shower PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4381738/normal_5f9dc0fd8b205.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.daltonmaag.com/In PDF document text
    • https://uploads.strikinglycdn.com/files/05a8a24a-45f3-4896-ae6a-9b4af255245f/63450697774.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/36501110-b04f-4a69-bb33-d2b62f51786e/psicologia_del_color.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0236ec18-1ba8-4278-ac0c-8ef69011ba99/nerf_cutan_latral_de_la_cuisse_dou.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/45704eb2-ed60-4ca7-9d52-f6b2b5e6dc42/hit_the_ground_running_song.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0fed967f-b4a4-4f3d-ae51-36d66d32e58f/calefon_universal_manual.pdfIn PDF document text
    • https://s3.amazonaws.com/mudurixo/dizilotibefokugitu.pdfIn PDF document text
    • https://s3.amazonaws.com/mekonulegipero/the_amazon_rainforest.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8979c685-0591-4f74-bbc0-0ab03cc5dc01/pltw_engineering_5.1_answers.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6e41c65e-8366-4a92-9b83-c60a1f45b616/moxifatad.pdfIn PDF document text
    • https://s3.amazonaws.com/fedure/92335035031.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/8e1a426d-049f-4450-b39d-5ed8146b2b4f/danuxetevejufuzuf.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/a9add7e4-1fab-41e3-9520-563adaa28e14/simon_williams_guardians_of_the_galaxy_2.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c9b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC9B3 5292 bytes
SHA-256: 872dbcfbd83e0ec907d72f2b314af52242fff4e670fb41ecc7b825aa5bccf064
font_01_sfnt_off0000dbc7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDBC7 10124 bytes
SHA-256: b5690a5be168f3a5acad457294529ce24c10213d3138dbed83d3f54813124373
font_02_sfnt_off0000fe6f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xFE6F 4324 bytes
SHA-256: 7f6049e5011acf0e8581793f2bc2bb947aac2929fdb77abc318b2a6155c1ef71