Malicious PDF — malware analysis report

Static analysis result for SHA-256 1041e86e6cba8503…

MALICIOUS

PDF

20.1 KB
MD5: 1d566de3bc778fbb70abbfa76fbf5446 SHA-1: cc6e4d6500d41485cc3ced890722d56dff2f4264 SHA-256: 1041e86e6cba85038bf6b70a0954847db850877d998452616c4c11301738bbab
64 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The critical heuristic 'CVE_2024_4367' indicates a type confusion vulnerability in PDF.js, which can lead to arbitrary JavaScript execution. This suggests the PDF is designed to exploit this flaw. While the extracted URLs are benign, the presence of an embedded font stream artifact warrants further investigation for potential payload delivery mechanisms. The lack of readable document body text or scripts prevents a more detailed analysis of the intended lure or payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0015

Heuristics 3

  • CVE-2024-4367 — PDF.js FontMatrix type confusion (arbitrary JS) critical CVE exact CVE_2024_4367
    PDF font dictionary contains a /FontMatrix array with non-numeric content — CVE-2024-4367 is a high-severity PDF.js vulnerability that exploits a missing type check to execute arbitrary JavaScript during glyph rendering. Affects Firefox < 126 and Thunderbird < 115.11.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ams.org
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_type1_off0000034e.bin
59ce0d86a4e4a57d020a01dc1b3fb339a2e4541f61d54f73c696815231ef59b5		 pdf-font-stream PDF embedded font (type1) at offset 0x34E 20447 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.