PDF static analysis report

Static analysis result for SHA-256 a54c0b07e06cedbc…

SUSPICIOUS

PDF

4.25 MB Created: 2023-06-14 09:46:54 +00:00 Authoring application: Microsoft® PowerPoint® 2016 (via 4-Heights222 PDF Library 3.4.0.6904 (http://www.pdf-tools.com)) First seen: 2026-05-13
MD5: d9c76a00263523a83176a120fa5ce684 SHA-1: c5726e9349b5b65ca527026bea66d3fbb1342a3c SHA-256: a54c0b07e06cedbc37ce3378a957cb6257c2cf9e6da9525e86cc31c5cfd29d48
44 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains an embedded URI pointing to 'www.finowings.com', which is flagged as suspicious. The presence of embedded JavaScript and an unusually high number of streams suggests obfuscation or malicious intent. The document body is heavily corrupted, preventing a detailed analysis of its content, but the embedded URI is the primary indicator of a potential phishing or malicious redirection attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0037

Heuristics 4

  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.finowings.com/ PDF link annotation
    • https://chartink.com/screener/volume-3xIn PDF document text
    • https://chartink.com/screener/2x-increase-in-volumeIn PDF document text
    • https://chartink.com/screener/volume)/KIn PDF document text
    • https://chartink.com/screener/2x)/KIn PDF document text
    • http://www.pdf-tools.comIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • https://www.microsoft.com/en-us/Typography/In PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_015_off0002f3b5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F3B5 263616 bytes
SHA-256: 7167bd175a8c246df5f8f3791e6b2958b550a92df91ed5f2df80507341ceede6
stream_031_off0006e288.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6E288 517320 bytes
SHA-256: d0c7ef89457d32741f63228c5a958262d87a3a3bbbf64a4c5b4bb58d84bb5374
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x04
font_00_sfnt_off0001097d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1097D 351456 bytes
SHA-256: ad35a3b42786a30cc1883a30cd6987ebc1568cda1ff58bc0a0abe01fa920247c
font_01_sfnt_off0003dbeb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3DBEB 371428 bytes
SHA-256: b04ad00bff331d7a71594ff7eedc000b97a895ef74a773d177eeac2746206504