PDF static analysis report

Static analysis result for SHA-256 125a3765c65e8722…

CLEAN

PDF

4.06 MB Created: 2017-11-01 15:53:35 -02:00 Authoring application: Microsoft® Word 2016 First seen: 2020-09-24
MD5: 452371feb66006c94e4027df24359ab9 SHA-1: 263606c3cb1dd3334d052fd2403e71c67dbccd0e SHA-256: 125a3765c65e87221e5b3cce802018f6a44949c461a2e548f01368078d7367f2
6 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF document that contains active content and is related to CVE-2023-26369, indicating an exploit for client execution. It also contains an embedded URI pointing to 'http://sandrapesavento.org/', which is likely a command and control server or a download location for a secondary payload. Given the nature of the exploit and the external URL, this is likely delivered via spearphishing.

Machine Learning

  • Nyx PDF Classifier clean score 0.0004

Heuristics 3

  • TrueType bitmap font + active content — CVE-2023-26369 related info CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.abecbrasil.org.br In PDF document text
    • http://www.editorafi.orgIn PDF document text
    • http://sandrapesavento.org/PDF link annotation
    • http://www.academia.org.br/abl/cgi/cgilua.exe/sys/start.htm?infoid=390&sid=295In PDF document text
    • http://www.revistadehistoria.com.br/secao/capa/em-In PDF document text
    • http://www.ihgrgs.org.br/In PDF document text
    • http://www.fundacaoastrojildo.com.br/index.php/genero-e-etnia/1224-In PDF document text
    • http://www2.portoalegre.rs.gov.br/cgi-bin/nph-In PDF document text
    • http://www2.portoalegre.rs.gov.br/spm/default.php?p_secao=205In PDF document text
    • http://www.vitruvius.com.br/revistas/read/In PDF document text
    • https://creativecommons.org/licenses/by/4.0/deed.pt_BRIn PDF document text
    • http://www.ufrgs.br/gthistoriaculturalrs/In PDF document text
    • http://cpdoc.fgv.br/producao/dossies/AEraVargas2/artigos/AlemDaViIn PDF document text
    • https://www.ufmg.br/rededemuseus/crch/simposio/GOLIN_LUIZ_In PDF document text
    • http://pib.socioambiental.org/pt/c/politicas-indigenistas/orgao-In PDF document text
    • http://www.cairn.info/revue-hermes-la-revue-2001-1-In PDF document text
    • http://www.youtube.com/watch?v=fIrnFrDXjlkIn PDF document text
    • http://www.metmuseum.org/toah/works-of-art/1970.534/In PDF document text
    • https://en.wikipedia.org/wiki/Dance_(Matisse)#/media/File:La_danse_(I)_by_Matisse.jpgIn PDF document text
    • https://en.wikipedia.org/wiki/Music_(Matisse)#/media/File:Matisse_-_Music.jpgIn PDF document text
    • https://www.wikiart.org/en/pablo-picasso/dance-of-the-veils-1907In PDF document text
    • http://www.iec.chIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/photoshop/1.0/In PDF document text
    • http://ns.adobe.com/tiff/1.0/In PDF document text
    • http://ns.adobe.com/exif/1.0/In PDF document text
    • http://www.microsoft.com/typography/fontshttp://www.carterandcone.comMicrosoftIn PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://www.microsoft.com/typography/0In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_196_off0033579b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x33579B 94008 bytes
SHA-256: 91cae34f93637f3488ee8493cf02310bc5f5e0f94176f9ce36baef46ea529e3b
stream_198_off00346040.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x346040 174460 bytes
SHA-256: 3c0454ad12f8b37ac41cd3710b38d931f70d8e9c0440ad13a20c4d515e4e3a23