PDF static analysis report

Static analysis result for SHA-256 beab7b33e8a45317…

SUSPICIOUS

PDF

42.9 KB Created: 2020-11-05 16:57:47 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: b349974041dcd88f628190f25d4f9dfb SHA-1: 11a23c368278f4df8b3eabfbc9142982370f800a SHA-256: beab7b33e8a453176c10039e7a808962bdd5e89937a1c7e8c033320ce6a10623
36 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as suspicious by an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffnew.ru/aws?keyword=argentina+major+imports PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4366385/normal_5f88be123e1cb.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4391303/normal_5f94020c1891e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4377408/normal_5f8b82807c110.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4367275/normal_5f9b8e4cd3cf9.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/6a31aa07-9037-42a0-9072-765cc4c78fe7/37454936113.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/93abf0c1-6734-41c3-82fe-f4aee141e609/38764210120.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/13ba0c2c-a28a-41e5-8d90-0b752bc7d0d9/42969369786.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/bae1423b-0a2c-435c-8aed-e98c6c61e042/pevotur.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9580993b-f124-4c60-a302-9e2b6c1cbbfd/wanudisanumi.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/722f6329-a36a-40fb-902a-292a7269d491/pugowub.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b8453ff0-60ed-40a0-9a1d-e2ec6119f46b/683995319.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/26026dbe-1417-4639-85b8-5cf5dada5fb6/9756664446.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b69520d4-4908-4df0-b4e5-94712c5c88f3/diego_ojeda_mi_chica_revolucionaria.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3cce265c-d5ab-42a1-8969-ed74199f0398/vehicle_registration_renewal_el_paso_texas.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/16dfd381-264c-478e-8276-39d9396c2b3d/nakudilaseku.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/b038a643-b87a-48af-8391-14de43d9dd70/fall_down_7_times_get_up_8_summary.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/1b395e5d-863f-44cd-9e04-22a05e754cb4/42712425859.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067cb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x67CB 5172 bytes
SHA-256: 6d18c29da66247fd5980c6eab08299ce978ce2e61d9c1ed37ab3d9348a8f6079
font_01_sfnt_off00007954.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x7954 10800 bytes
SHA-256: 620865594575466b4dc50d15f4bd29cb0a3f32f9b6829057116f6567f2e29d13