PDF static analysis report

Static analysis result for SHA-256 d0552d4acdd6f0df…

SUSPICIOUS

PDF

29.90 MB Created: 2025-05-28 10:14:40 -03:00 Authoring application: wkhtmltopdf First seen: 2026-05-13
MD5: a6e74aa8e78f49b577c2af0fe869e05d SHA-1: 5f6ef91145ed996804558e30d6e0bde88e4991e2 SHA-256: d0552d4acdd6f0df66e3217e8fd685b69011f8ec4ffb4b57a884f97436002706
26 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file contains embedded JavaScript, which is a common technique for delivering malicious payloads. The presence of multiple external URIs, including one pointing to a Brazilian government domain (sei.mj.gov.br), suggests a phishing or credential harvesting attempt. The embedded JavaScript likely attempts to redirect the user to one of these URLs or download further malicious content. The high stream count also indicates potential obfuscation.

Machine Learning

  • Nyx PDF Classifier clean score 0.1578

Heuristics 4

  • TrueType bitmap font + active content — CVE-2023-26369 related info CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sei.autentica.mj.gov.br In PDF document text
    • http://sei.consulta.mj.gov.br/In PDF document text
    • http://sei.protocolo.mj.gov.brIn PDF document text
    • https://www.portaltransparencia.gov.br/sancoes/ceisIn PDF document text
    • https://www.portaltransparencia.gov.br/sancoes/cnep).[A1In PDF document text
    • https://www.gov.br/compras/pt-brIn PDF document text
    • https://www.gov.br/mj/pt-brIn PDF document text
    • https://paineldeprecos.planejamento.gov.br/analise-servicosIn PDF document text
    • http://paineldeprecos.pre.economia.gov.brIn PDF document text
    • https://www.justica.gov.brIn PDF document text
    • https://www.gov.br/compras/edital/200005-5-90005-2025In PDF document text
    • http://www.in.gov.br/autenticidade.htmlIn PDF document text
    • https://cnetmobile.estaleiro.serpro.gov.br/comprasnet-web/public/landingIn PDF document text
    • https://pncp.gov.br/app/editais/00394494000136/2025/290In PDF document text
    • https://portaldeservicos.gestao.gov.brIn PDF document text
    • https://www.gov.br/mj/pt-br/acesso-a-informacao/licitacoes-e-contratIn PDF document text
    • https://www.hubchannel.com.brIn PDF document text
    • https://sei.mj.gov.br/sei/controlador.php?acao=documento_downloadIn PDF document text
    • https://cnetmobile.estaleiro.serpro.gov.br/comprasnet-web/seguro/governo/selecao-fornecedores/item/1?identificador=20000505900052025&etapa=JPIn PDF document text
    • https://www.gov.br/mj/pt-br/acesso-a-informacao/licitacoes-e-contratosv1/se/licitacoes/uasg-In PDF document text
    • https://supersapiens.agu.gov.brIn PDF document text
    • https://sapiens.agu.gov.brIn PDF document text
    • https://sei.protocolo.mj.gov.brIn PDF document text
    • http://sei.mj.gov.br/sei/controlador_externo.php?acao=documento_conferir&id_orgao_acesso_externo=0PDF link annotation
    • https://sei.mj.gov.br/sei/modulos/pesquisa/md_pesq_processo_pesquisar.php?acao_externa=protocolo_pesquisar&acao_origem_externa=protocolo_pesquisar&id_orgao_acesso_externo=0In PDF document text
    • http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htmIn PDF document text
    • http://www.gov.br/comprasIn PDF document text
    • https://www.planalto.gov.br/ccivil_03/constituicao/constituicaocompilado.htmIn PDF document text
    • http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htm#art14In PDF document text
    • https://www.portaltransparencia.gov.br/sancoes/cnepIn PDF document text
    • https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacao/instrucoes-normativas/instrucao-normativa-seges-me-no-73-de-30-de-setembro-de-2022#art29In PDF document text
    • http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htm#art62In PDF document text
    • https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2016/decreto/d8660.htmIn PDF document text
    • http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htm#art63In PDF document text
    • https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacao/instrucoes-normativas/instrucao-normativa-no-3-de-26-de-abril-de-2018#art4In PDF document text
    • https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacao/instrucoes-normativas/instrucao-normativa-no-3-de-26-de-abril-de-2018In PDF document text
    • https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacao/instrucoes-normativas/instrucao-normativa-seges-me-no-73-de-30-de-setembro-de-2022In PDF document text
    • https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2015/decreto/d8538.htm#art4In PDF document text
    • http://www.planalto.gov.br/ccivil_03/_ato2019-2022/2021/lei/L14133.htm#art165In PDF document text
    • https://www.planalto.gov.br/ccivil_03/_ato2019-2022/2020/decreto/D10543.htmIn PDF document text
    • https://pncp.gov.br/In PDF document text
    • https://pncp.gov.br/app/editaisIn PDF document text
    • https://portaldeservicos.gestao.gov.br/In PDF document text
    • https://www.enap.gov.br/pt/In PDF document text
    • https://www.serpro.gov.br/In PDF document text
    • https://www.hubchannel.com.br/In PDF document text
    • https://www.gov.br/compras/pt-br/acesso-a-informacao/noticiasIn PDF document text
    • https://www.gov.br/compras/pt-br/acesso-a-informacao/eventosIn PDF document text
    • https://www.gov.br/compras/pt-br/acesso-a-informacao/legislacaoIn PDF document text
    • https://www.gov.br/compras/pt-br/acesso-a-informacao/cursos-e-capacitacoesIn PDF document text
    +29 more URL(s)

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_200_off01c8af0b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C8AF0B 423360 bytes
SHA-256: 86c447153c86c06a8468368c32dece7270ce1392bef9f96f8620cd9b966b14ba
stream_202_off01cc34dc.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CC34DC 61592 bytes
SHA-256: 20853e61b54905047597d7430d88f4bac4631f03af54352a5da2602e2a006bc8
stream_208_off01ce0036.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CE0036 26756 bytes
SHA-256: 38a19bdc6471dad8f44edcecadc8a88f1e7251ab07732d76622166ce97d2dc32
stream_211_off01ce5e32.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CE5E32 23612 bytes
SHA-256: 7038753b144960794919ab34c1ee778f1aa6b16f9caa53122711326767fa2384
stream_214_off01ceb8ad.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CEB8AD 30932 bytes
SHA-256: 8be8ed95589b6fec0a241a43b676b1e5bb0447d4e8bf4a180689cc11e8265c83
icc_00_off01c46a3a.icc pdf-icc-profile PDF ICC profile at offset 0x1C46A3A 536 bytes
SHA-256: d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d
icc_01_off01c609c5.icc pdf-icc-profile PDF ICC profile at offset 0x1C609C5 512 bytes
SHA-256: a25bfb637b7d9f5bb20e5071757ba493a0ea755da9ad1c0613b9ac78efa78907
font_00_sfnt_off01c884e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C884E5 29412 bytes
SHA-256: 878d9cd09b5c024beb9a9b6e1aa105df3faf4d2fd93b7d4c03ba650552386c2e
font_02_sfnt_off01cb9c83.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1CB9C83 83276 bytes
SHA-256: 2376a631ff9c3a3722362c985b64134b46a7efb23550df72462e2423f2bd8ca2
font_04_cff_off01cc9525.bin pdf-font-stream PDF embedded font (cff) at offset 0x1CC9525 535 bytes
SHA-256: 30051ee81d1839965ab4094bfa857ca2073f5f328f678d86baeb611558e521ab
font_05_sfnt_off01cc975c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1CC975C 46040 bytes
SHA-256: a699c39b8e78c3203f0d6471880ae6a25a9372b13ddfd24caa442a491669bb8c
font_06_sfnt_off01cd027f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1CD027F 35648 bytes
SHA-256: fb70f3ac4e7301b81d8b66f5d11c0fcde392b3cc96a6268de226a5c4adc37aea