PDF static analysis report

Static analysis result for SHA-256 f7ac6355b1d26db4…

SUSPICIOUS

PDF

35.6 KB Created: 2020-11-05 19:49:37 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-04
MD5: 20204024c6d65f8df04ca53fb38e9bdf SHA-1: da319526b1d0782bf41102d131d5532afe958dd3 SHA-256: f7ac6355b1d26db4b935035f23ea1bab18e111f230429a54059f4744f897d14d
36 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as suspicious by an ML classifier. The file embeds external URLs that direct users to attacker-controlled resources. Specific URLs and indicators for this sample are listed in the indicators section.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://trafftec.ru/123?keyword=sir+d+evils+video+location PDF link annotation
    • https://vozunutav.weebly.com/uploads/1/3/0/9/130969695/be47935eb28.pdfIn PDF document text
    • https://fomezesas.weebly.com/uploads/1/3/4/3/134343882/0e6921c3ed.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4409604/normal_5f9a2b6ab5f82.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403270/normal_5f999188df35e.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4392199/normal_5f9643b851404.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4375889/normal_5f9b09ed7f829.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403429/normal_5f920bc7d3a18.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4369165/normal_5f9201fad4d98.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4427538/normal_5fa15c682e8eb.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://uploads.strikinglycdn.com/files/b5fc0f69-2837-41a9-9d38-58c54fed4dab/amulet_books.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/43481ac0-5085-4e6f-956b-88427ae790f5/11181146127.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/6de7fa54-4e9d-4c66-9da4-3f4d1dcb38f6/95565252118.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/cc926e95-1e30-4cd1-8fa0-bc0672992317/66968355077.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/47c00b7b-742b-4b14-bb25-850f88794a61/the_briefing_room_transcript.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b81.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4B81 5096 bytes
SHA-256: ceb3abe083c1f88cc6a759f6d4a451606f3de0934f90a563d6ca7da287019be0
font_01_sfnt_off00005ce6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5CE6 11264 bytes
SHA-256: 5bc6cef2c8d5b471b99a3f508d298860d357a053f2ba15e2611307d730ecd38a