PDF static analysis report

Static analysis result for SHA-256 b078e12f4b7659b4…

SUSPICIOUS

PDF

49.9 KB Created: 2020-07-25 07:14:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2020-08-25
MD5: 5ab17819e2fbb925b8cdf89e119597f3 SHA-1: bf4b0418adffe28a04c688fb5cb741ba67fc9aa5 SHA-256: b078e12f4b7659b4421248c88f609f7f725670af5e070bd11e35ad38ed2382d3
44 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0284

Heuristics 3

  • Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK
    PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wikigi.litds.ru/date?keyword=kwang+soo+and+somin+dating&charset=utf-8 PDF link annotation

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000864a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x864A 4040 bytes
SHA-256: 0e569373682d2112ebd5507cbcffc9f768581458be21dc3e1de8b7b53ca7eb6e
font_01_sfnt_off0000954a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x954A 15472 bytes
SHA-256: 9dfb2f580b20f5e871a15da1e54cac99832ea4d3f46b3f20612cdfcd714a834b