PDF static analysis report

Static analysis result for SHA-256 c0ed47254344b52e…

SUSPICIOUS

PDF

51.4 KB Created: 2020-11-07 14:09:35 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: c543ad2580f9d047c6f7b0dac0158943 SHA-1: 2eaa798d5a681df1ff7c1acfa286eb8eed0180c1 SHA-256: c0ed47254344b52ea71f6f57ab8e1764e68d6c88c0126e6ad7f8ae424e41f724
36 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains an embedded URL that directs the user to a suspicious domain. The ML classifier strongly flagged this PDF as malicious, indicating a high likelihood of malicious intent. The embedded URL is likely part of a phishing or social engineering attempt to redirect the user to a compromised or malicious website.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffine.ru/wb?keyword=what%20is%20thamo%20in%20english PDF link annotation
    • https://cdn-cms.f-static.net/uploads/4370088/normal_5f94dc66b8558.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4366382/normal_5f8a30991f380.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4382631/normal_5f8ecd6829724.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4379618/normal_5f9f139481a01.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4410217/normal_5f978b07081d5.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/40688718-b14c-4736-9bfb-c7d20eb74d21/58611316024.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/3e277e00-6ef8-493a-9f38-eb09db8ee500/literary_devices_in_fast_food_nation.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2dcf5d0b-ee37-40f6-b035-b6681295e827/remove_duplicates_in_google_sheets_column.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/9ac3ad2c-a6e0-4d4d-84ea-f3e8408d50b9/adding_rational_numbers_worksheet_7th_grade.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/0b507bb1-bca0-4478-86f3-151bc7d6bc16/63220244604.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/117d3d08-e7be-401c-922a-233beaa099ae/jivovalezowosezuwaluj.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/362e0828-5eb7-42a7-8694-26ebf73bc7a5/44392922089.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/55c0cd8f-d7f7-4660-9dc1-2a05b9bb3ae2/31388496835.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/2011df08-7a2b-46e5-8b00-ef950d03b76c/flight_rising_breeding_cooldown.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/4e74f5f7-1fbc-4080-8261-b632a6027092/xekuxirokemajuto.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off000090d3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x90D3 26200 bytes
SHA-256: cda565053e5d8155a396a19fb4e622c45e26315cf36f48249292a1f8e9818505
font_00_sfnt_off00005c1f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5C1F 5016 bytes
SHA-256: dc716e3e06ee86279c9bcf5763d167a9c787e1ef96d7b4bf685d5fbea5eb8120
font_01_sfnt_off00006d17.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6D17 10536 bytes
SHA-256: 9299fc719631fb8807ec852b26a657d20ced32e9d61755c9da8087c8fa799fd5