PDF static analysis report

Static analysis result for SHA-256 cacc86165c53c4d3…

CLEAN

PDF

2.19 MB First seen: 2020-07-24
MD5: f3b5c8b5c1ce91b87c7b00cea0b2f69e SHA-1: b9e44e506d142dd25f7a3afc8e492523c6fa6282 SHA-256: cacc86165c53c4d31ce9879758668e57bc4b51e0c532b028226a9c137269456b
24 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The PDF is encrypted and contains only images, with no discernible text content. This indicates a likely attempt to obscure malicious content or to use images as a lure. The 'PDF_IMAGE_ONLY_LURE' heuristic firing supports this, suggesting the document is designed to mislead the user. Without readable text or scripts, the exact malicious intent cannot be determined, but the overall pattern points to a phishing or social engineering attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0008

Heuristics 3

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.digia.com/ In PDF document text
    • http://www.indt.org/In PDF document text
    • http://www.mob4hire.com/In PDF document text
    • http://www.getjar.com/In PDF document text
    • http://www.uxmag.com/technology/effective-developer-experienceIn PDF document text
    • http://www2.uiah.fi/projekti/metodi/158.htm#measureIn PDF document text
    • http://www.wirelessexpertise.com/research_detail.php?research_id=5In PDF document text
    • http://www.mrweb.com/mrt/mob09nov.htmIn PDF document text
    • http://www.interaction-In PDF document text
    • http://neospot.se/usability-vs-user-experience/In PDF document text
    • http://www.uxmag.com/design/user-experience-for-developersIn PDF document text
    • http://www.strategyanalytics.com/default.aspx?mod=pressreleaseviewer&aIn PDF document text
    • https://bluevia.com/en/In PDF document text
    • http://www.cuppadev.co.uk/the-horror-of-android-In PDF document text
    • https://mobiledocuments.com/In PDF document text
    • http://www.visionmobile.com/research.php#deveconIn PDF document text
    • http://www.vogella.de/articles/Android/article.htmlIn PDF document text
    • http://www.wacapps.net/web/portalIn PDF document text
    • http://pelfusion.com/awesome-graphics/mobile-interface-development-In PDF document text
    • http://ocsp.verisign.com0In PDF document text
    • http://www.forum.nokia.com/Design/In PDF document text
    • http://developer.apple.com/devcenter/ios/index.actionIn PDF document text
    • http://developer.android.com/guide/practices/ui_guidelines/index.htmlIn PDF document text
    • http://www.developer.nokia.com/Resources/Library/Design_and_UX/designing-for-nokia-In PDF document text
    • http://www.forum.nokia.com/info/sw.nokia.com/id/7557c13f-0b43-4805-85ce-8414bfbade57/Flowella.htmlIn PDF document text
    • http://www.forum.nokia.com/Design/User_experience/Case_studies/In PDF document text
    • http://store.ovi.com/In PDF document text
    • http://blog.ovi.com/dailyapp/global/In PDF document text
    • http://www.usertesting.com/In PDF document text
    • http://speckyboy.com/2010/05/10/android-app-In PDF document text
    • http://developer.apple.com/library/mac/#documentation/Cocoa/ConceptuaIn PDF document text
    • http://developer.apple.com/In PDF document text
    • http://hdl.handle.net/1794/7610In PDF document text
    • http://www.forum.nokia.com/Design/User_experience/In PDF document text
    • http://appinventor.googlelabs.com/about/In PDF document text
    • http://www.idc.com/about/viewpressrelease.jsp?containerId=prUS22679411In PDF document text
    • http://www.juniperresearch.com/shop/products/whitepaper/pdf/Mobile%2In PDF document text
    • http://www.nytimes.com/2010/07/12/technology/12google.htmIn PDF document text
    • http://www.useit.com/alertbox/mobile-apps-initial-use.htmlIn PDF document text
    • http://blog.nielsen.com/nielsenwire/online_mobile/the-state-of-mobile-In PDF document text
    • http://betalabs.nokia.com/In PDF document text
    • http://doi.acm.org/10.1145/1151454.1151466In PDF document text
    • http://doi.acm.org/10.1145/1167948.1167980In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://www.fonts.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
    • http://www.microsoft.com/typography/0In PDF document text
    +8 more URL(s)

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_035_off0005aa10.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5AA10 1214208 bytes
SHA-256: bfe6f0327bb9b68c428cfb627696524f1b661942bdb46fc43f5aa9e75b1cb3e3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x06
stream_071_off00102829.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x102829 1308000 bytes
SHA-256: 7ae274f152599c30837d0b51d2c1b4ea1abea76939d431a4949e3e940e6232ba
stream_073_off001bfb64.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BFB64 226828 bytes
SHA-256: 77443d186fc9b091a90b18d7a353ba235970cf7e32b8cd04e621eded5ba255a3
stream_076_off00211a72.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x211A72 189012 bytes
SHA-256: 6f1a28ea088aa36864d88d73f956f9d3959ce5b0e1a5d536afe62a7680b8ee57
font_00_sfnt_off001da59f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1DA59F 248544 bytes
SHA-256: b53b3d32763b4c1732e4121021525b1fb6b212329ba3098dcebb5fe21e8049e5
font_02_sfnt_off002277f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2277F3 195248 bytes
SHA-256: be7c5e56ffc74445d19563693e22ecbbdd67970e49be7d16bf0f0fbf15fb704c
font_03_sfnt_off002524d0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2524D0 56804 bytes
SHA-256: 15edbd3d172a16892dd83b7e90da0fd4fe04b430044012f42794d2fcdfd59297
font_04_sfnt_off0025b92b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25B92B 24332 bytes
SHA-256: ca6c494bb5ef9be7361cfad38425c9e5ec46bc51a29f0a9ed3e0b4866540a7f4