PDF static analysis report

Static analysis result for SHA-256 d891ff34a295c10d…

SUSPICIOUS

PDF

55.6 KB Created: 2018-09-07 11:53:49 -04:00 Authoring application: Microsoft® Word 2016 First seen: 2019-05-31
MD5: 85a884e0077bf7dd15be26adcae8bac6 SHA-1: b6123c67f4173f7929cf70bf42242f9620bfa3e9 SHA-256: d891ff34a295c10d09ae01c29346e08bb263eac53d163c866d389fea78d99e9f
30 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link

The PDF document contains heuristics indicating a fake invoice lure and the presence of a shortened URL. The shortened URL, while currently benign, is a common tactic for delivering malicious payloads. The document body itself is heavily obfuscated and does not provide further context, but the combination of the lure and the URL suggests an attempt to trick the user into navigating to a potentially harmful destination.

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 3

  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bit.ly/2MRoOLP In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoftIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • http://www.microsoft.com/TypographyIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000442d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x442D 103584 bytes
SHA-256: 98f8f3900ca0e88038d7c6cd3390fd346bfc21ad6ce116662b8ea65fe62df0e0