Malicious PDF — malware analysis report

Static analysis result for SHA-256 0dcfabbd49a90919…

MALICIOUS

PDF

1.69 MB Created: 2019-06-26 13:12:05 +02:00 Authoring application: Microsoft® Office Word 2007
MD5: 1e3ab5e448ad1a3c92e1ed106d306978 SHA-1: 35d34b9aa62dadef1a5d620f17e12f7e57327b18 SHA-256: 0dcfabbd49a90919de64f33f181b1a2a928eed55a59e9bf4c385a5e00cedfe08
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains embedded URLs and a heuristic firing for 'Password-protected archive handoff', indicating it's designed to trick users into downloading an archive. The document body, though heavily obfuscated, contains references to URLs that are likely part of the lure. The presence of CVE-2023-26369 related indicators suggests exploitation of a known PDF vulnerability to facilitate execution.

Machine Learning

  • Nyx PDF Classifier clean score 0.0009

Heuristics 4

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.smra.org/Mumi.htm
    • http://www.smra.org/arqueologia_industrial2.htm
    • http://www.smra.org/arqueologia_industrial3.htm
    • http://www.smra.org/senderismo.htm
    • http://www.smra.org/gastronomia.htm
    • http://www.smra.org/menu_municipio.htm
    • http://www.smra.org/menu_invertir.htm
    • http://www.auladelosoficios.org/
    • http://tiching.com/jugando-con-las-palabras-las-profesiones/recurso-educativo/23686?utm_content=RecursosOrientacionVocacional_2&utm_medium=referral&utm_campaign=cm&utm_source=BlogTiching
    • http://tiching.com/pelayo-y-su-pandilla-la-actividad-humana/recurso-educativo/24065?utm_content=RecursosOrientacionVocacional_3&utm_medium=referral&utm_campaign=cm&utm_source=BlogTiching
    • http://tiching.com/adivina-los-oficios/recurso-educativo/121080?utm_content=RecursosOrientacionVocacional_4&utm_medium=referral&utm_campaign=cm&utm_source=BlogTiching
    • http://www.rinconmaestro.es/
    • http://tiching.com/el-abecedario-de-las-profesiones/recurso-educativo/121075?utm_content=RecursosOrientacionVocacional_5&utm_medium=referral&utm_campaign=cm&utm_source=BlogTiching
    • http://tiching.com/jugando-a-las-profesiones/recurso-educativo/48447?utm_content=RecursosOrientacionVocacional_6&utm_medium=referral&utm_campaign=cm&utm_source=BlogTiching
    • http://tiching.com/de-mayor-quiero-ser/recurso-educativo/47211?utm_content=RecursosOrientacionVocacional_7&utm_medium=referral&utm_campaign=cm&utm_source=BlogTiching
    • http://www.blog.tiching.com/12-recursos-para-la-orientacion-vocacional-en-el-aula
    • https://youtube.be/8Avoazl.pWig
    • https://wetranfer.com/downloads/cdc3a7468d423c74372371780b1b190820190506193442/93b70198c58b5e6d5636c5aef4e5171120190506192442/95f78f
    • https://www.yotube.com/watch?v=08YoHzzpOBA
    • https://wetranfer.com/downloads/cdc3a7468d423c74372371780b1b190820190506193442/93b7
    • http://www.samogaespecial.blogspot.com/
    • http://www.es.slideshare.net/tango67/manual-para-el-facilitador-3-de-primaria-view
    • http://www.conlapizyteclas.blogspot.com/
    • http://www.juntadeandalucia.es/educacion/.../1161788185681_gades.pdf
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    • http://www.microsoft.com/Typography/0
    • http://www.microsoft.com/typography/ctfontshttp://www.fonts.comYou
    • http://www.microsoft.com/typography/fonts/default.aspx
    • http://www.microsoft.com/typography/0

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_098_off00103ba3.bin
305e19bdee8555ca6a2e798a700ef4a662be0cd6df56f534d36eeecb47e85303		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x103BA3 201752 bytes
stream_103_off0013523e.bin
fcfacad45556ff7cbe2c29411408a33534ad238789d6f2d484ea99f829767e31		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x13523E 189616 bytes
stream_105_off0014107f.bin
2b56eacd3399f9010e7449f97efd0d29162100f0d7c03c2d1bbb243e0a02bb2d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14107F 148520 bytes
stream_109_off0014dece.bin
4e04ccba1e6020895daf0674aa793d3e37233537518456b5e65c5089cfc1d21c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14DECE 193132 bytes
stream_113_off0017018c.bin
44df7599415c0ae1f802572592ffd3c22b8c00c7d31e63c58c851008cff63345		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17018C 209076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.