PDF static analysis report

Static analysis result for SHA-256 dda2c7f58d152323…

SUSPICIOUS

PDF

233.1 KB Created: 2021-07-05 13:15:25 +00:00 Authoring application: Microsoft® Word 2016 (via www.ilovepdf.com) First seen: 2026-06-04
MD5: 64561cba99ad46a7f54a0ff9213d59df SHA-1: 1f13f09fb23154d50d988b9a818b9c521ed518e6 SHA-256: dda2c7f58d1523236e9418a52ae732da7abe25c0c98a1c28a52cf01ddbdad4cd
44 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document identified as an advance-fee scam lure. It contains language related to lotteries, prizes, and parcel delivery, typical of such fraud schemes. While numerous URLs were extracted, they were all confirmed as benign. No scripts were found, and the document body was heavily obfuscated, preventing a deeper analysis of the specific scam details.

Machine Learning

  • Nyx PDF Classifier clean score 0.0008

Heuristics 3

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.google.org/ PDF link annotation
    • http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoftIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • http://www.microsoft.com/Typography/0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00012652.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12652 345880 bytes
SHA-256: 6ffefc34bddc571acd913efe2fa45dfabfefa85bf8f110361660b8785b4c7b7a
font_00_sfnt_off00008aa6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x8AA6 103204 bytes
SHA-256: 248900c437b6203fdf28345ad64f719f3dd51d5e826759c7e6807bf564500312