PDF static analysis report

Static analysis result for SHA-256 ddd783227dd8abe5…

SUSPICIOUS

PDF

4.52 MB Created: 2011-01-25 20:23:04 +01:00 Authoring application: Adobe InDesign CS4 (6.0.6) (via Adobe PDF Library 9.0) First seen: 2026-05-09
MD5: e53fdc9937f92ad32bc8b81f2d38364b SHA-1: 812ac60554552f39f4b8b988ab216d4b51ee0467 SHA-256: ddd783227dd8abe5964915ad23846a9072b2d74c47e60b9ef17a3f1775e40fc2
52 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains an embedded JavaScript stream and a URI pointing to a McAfee white paper, suggesting an attempt to exploit vulnerabilities or trick the user. The heuristic 'SE_CALLBACK_LURE' indicates the document prompts the user to call a phone number, a common tactic in tech-support scams and callback phishing. The document body is heavily obfuscated and contains no readable text, further supporting a malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0016

Heuristics 5

  • PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.myce.com/news/anonymous-calls-off-hadopi-attack-targets-hustler-35675/ In PDF document text
    • http://www.mmtimes.com/2010/news/547/news54716.htmlIn PDF document text
    • http://news.hostexploit.com/cybercrime-news/4686-russian-gang-used-customized-virus-bought-from-hacker-forum-on-atms.htmlIn PDF document text
    • http://www.v3.co.uk/v3/news/2273647/fbi-botnet-spam-nikolaenkoIn PDF document text
    • http://www.myce.com/news/anonymous-calls-off-hadopi-attack-targets-hustler-35675/)/S/URI/IsMapIn PDF document text
    • http://www.mmtimes.com/2010/news/547/news54716.html)/S/URI/IsMapIn PDF document text
    • http://news.hostexploit.com/cybercrime-news/4686-russian-gang-used-customized-virus-bought-from-hacker-forum-on-atms.html)/S/URI/IsMapIn PDF document text
    • http://www.v3.co.uk/v3/news/2273647/fbi-botnet-spam-nikolaenko)/S/URI/IsMapIn PDF document text
    • http://www.mcafee.com)/S/URI/IsMapIn PDF document text
    • http://www.mcafee.com/us/resources/white-PDF link annotation
    • http://www.adobe.com/support/security/advisories/apsa10-05.htmlIn PDF document text
    • http://www.infosecurity-magazine.com/view/13056/anonymous-cyberprotest-group-stages-ddos-attack-on-spains-copyright-society/In PDF document text
    • http://www.app.com/article/20101102/NEWS06/101102049/Cyber-group-hacks-recording-industry-group-s-site-in-response-to-LimeWire-shutdownIn PDF document text
    • http://www.whec.com/article/stories/S1812949.shtml?cat=10077In PDF document text
    • http://joongangdaily.joins.com/article/view.asp?aid=2927242In PDF document text
    • http://www.nytimes.com/2010/10/27/business/27spam.htmlIn PDF document text
    • http://garwarner.blogspot.com/2010/11/lin-mun-poo-hacker-of-federal-reserve.htmlIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/g/img/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/illustrator/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Font#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://www.mcafee.com/us/resources/white-papers/wp-running-scared-fake-security-software.pdf)/S/URI/IsMapIn PDF document text
    • http://www.adobe.com/support/security/advisories/apsa10-05.html)/S/URI/IsMapIn PDF document text
    • http://www.infosecurity-magazine.com/view/13056/anonymous-cyberprotest-group-stages-ddos-attack-on-spains-copyright-society/)/S/URI/IsMapIn PDF document text
    • http://www.whec.com/article/stories/S1812949.shtml?cat=10077)/S/URI/IsMapIn PDF document text
    • http://joongangdaily.joins.com/article/view.asp?aid=2927242)/S/URI/IsMapIn PDF document text
    • http://www.nytimes.com/2010/10/27/business/27spam.html)/S/URI/IsMapIn PDF document text
    • http://garwarner.blogspot.com/2010/11/lin-mun-poo-hacker-of-federal-reserve.html)/S/URI/IsMapIn PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#In PDF document text
    • http://ns.adobe.com/xmp/InDesign/privateIn PDF document text
    • http://www.mcafee.com/us/resources/white-papers/wp-running-scared-fake-security-software.pdfPDF link annotation

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000192a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x192A 557168 bytes
SHA-256: 35f401731df11a4eba3502af632e51d68bc394bcb7d34632a331c1ba3f4a0bf6
stream_007_off0006295b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6295B 52520 bytes
SHA-256: 77df0416c371edd0573750243928ac38c2c0abbb4b53c564373468b6df195818
font_00_cff_off000613cf.bin pdf-font-stream PDF embedded font (cff) at offset 0x613CF 5749 bytes
SHA-256: 278667db1301fa1d12a303e669bd7996369e79736683488a81ca40fba7786ff0
font_01_cff_off0035b3dc.bin pdf-font-stream PDF embedded font (cff) at offset 0x35B3DC 3058 bytes
SHA-256: fc86c765d36c38af104ff7491850233342284f2d69ddfb25ef14e656c73c75a9
font_02_cff_off0041e8ff.bin pdf-font-stream PDF embedded font (cff) at offset 0x41E8FF 5265 bytes
SHA-256: 4ef885aca6362b611e499711e1639099bb6e7b0b5af5ea0a3e8aa78f7fcdb69d
font_03_cff_off0041fa7b.bin pdf-font-stream PDF embedded font (cff) at offset 0x41FA7B 6085 bytes
SHA-256: 766c79b104d3139ed259a4e6234d5f62088abef30b7e13f170d7d803a0fd15ee