PDF static analysis report

Static analysis result for SHA-256 dd2056d29844c2b5…

SUSPICIOUS

PDF

1.84 MB Created: 2019-06-26 20:22:31 +02:00 Authoring application: Microsoft® PowerPoint® for Office 365 First seen: 2020-09-24
MD5: 2b169f66704909f3e9e60fe89277e185 SHA-1: d2cf1e5f00b42aafdf026ca4a43f1f4d923e13b8 SHA-256: dd2056d29844c2b5aeaa601de712a83d2aa0a566ad7fe637462d93de519eec4d
26 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file exhibits a high number of streams, suggesting obfuscation or a heap spray technique. It contains numerous embedded URIs, with the primary one being http://www.greekroman.ru/img/gallery/large/athene05.htm. While the document body is unreadable, the presence of these external links indicates a social engineering attempt to direct the user to potentially malicious or deceptive content. No scripts were extracted, limiting further analysis of direct payload execution.

Machine Learning

  • Nyx PDF Classifier clean score 0.0013

Heuristics 4

  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.greekroman.ru/img/gallery/large/athene05.htm PDF link annotation
    • http://mify.org/dictionary/a1.shtml#������In PDF document text
    • http://mify.org/dictionary/a2.shtml#��������������In PDF document text
    • http://mify.org/dictionary/a2.shtml#��������In PDF document text
    • http://mify.org/dictionary/a2.shtml#����������������In PDF document text
    • http://mify.org/dictionary/a2.shtml#����������In PDF document text
    • http://mify.org/dictionary/g.shtml#��������In PDF document text
    • http://mify.org/dictionary/g.shtml#������������In PDF document text
    • http://mify.org/dictionary/d.shtml#��������������In PDF document text
    • http://mify.org/dictionary/z.shtml#��������In PDF document text
    • http://mify.org/dictionary/k.shtml#������������In PDF document text
    • http://mify.org/dictionary/n.shtml#��������In PDF document text
    • http://mify.org/dictionary/p.shtml#����������������In PDF document text
    • http://mify.org/dictionary/ee.shtml#��������In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • https://www.microsoft.com/en-us/Typography/In PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_019_off00005319.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5319 585420 bytes
SHA-256: 002b2a6f5026cfa67e330eb0457ae20b421f648e153575f50fa7e89b0ee5d5df
stream_049_off000322f4.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x322F4 102655 bytes
SHA-256: f31a30779fc3d0bac2c0ca2967d4515b535e5db249efcb430ff44cdf3f253e50
stream_081_off00055ffa.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x55FFA 387360 bytes
SHA-256: 8ac7849b14be0de59e11a6f8a8db6557c4807c085eda32c6d5b3ef0544701175
stream_085_off0005e843.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5E843 112796 bytes
SHA-256: f8808ea50f74b488db5de6b24535124177867f8d5e33f857900aeae89b7e1646
stream_087_off000621ac.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x621AC 82175 bytes
SHA-256: 38281a07ede3348fefb172980875a685521d28cc7a4b0747b5e848eadb0793ad
stream_121_off001b39d8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B39D8 92776 bytes
SHA-256: 8fa24feda8c2cee5ebcb775bad07e6ce41710ffb0daaf1c5a7e36d639d83eb37