PDF static analysis report

Static analysis result for SHA-256 a764094b8a9f8aa1…

SUSPICIOUS

PDF

48.6 KB First seen: 2019-05-31
MD5: e4c56042a5ddfee888c40e808a662180 SHA-1: b17c4505ac5555b351a79dcb8ee1d17c1bf962e7 SHA-256: a764094b8a9f8aa1cf7d8e3bc5c0c700e9acfe93a72bd149f61c375ace29aaa5
30 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document uses a cloud document impersonation lure, attempting to trick the user into clicking an embedded link. The link directs to a suspicious URL, suggesting a phishing or malware distribution attempt. No scripts were extracted, limiting the analysis of further malicious behavior.

Machine Learning

  • Nyx PDF Classifier clean score 0.0008

Heuristics 3

  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • External URI low PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://thebcgco.com/JLBusinessInteriors/0992/ PDF link annotation
    • https://thebcgco.com/JLBusinessInteriors/0992/)endobj13In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00001769.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1769 23820 bytes
SHA-256: f3cd99b181cc3388399d80c3a9748c4c80712cb714ef8b6235124a64aa1e8e6d
icc_00_off000006e1.icc pdf-icc-profile PDF ICC profile at offset 0x6E1 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_01_sfnt_off00004c00.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4C00 6624 bytes
SHA-256: ed40ea25e771cc3b981f34a4a692dd8de13860bb173180d3b90312d7aa5bed7a
font_02_sfnt_off00006212.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6212 15500 bytes
SHA-256: 4ce7e2c285119f702f42303d6e315bcb2bb5658fb0869464832a7c0b69f35637
font_03_sfnt_off00008551.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8551 10652 bytes
SHA-256: 638cc90ba63a64c5fad037f9253192a9c0e1c10f8eebd23b0cce4f38a47879e8
font_04_sfnt_off0000a3cc.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA3CC 9360 bytes
SHA-256: e4080486304899c1052bb9c730dfbeda9ebc619b6611d93842b9ca08b0ab6a10