CLEAN
6
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a PDF document that contains active content and is related to CVE-2023-26369, indicating an exploit for client execution. It also contains an embedded URI pointing to 'http://sandrapesavento.org/', which is likely a command and control server or a download location for a secondary payload. Given the nature of the exploit and the external URL, this is likely delivered via spearphishing.
Machine Learning
- Nyx PDF Classifier clean score 0.0004
Heuristics 3
-
TrueType bitmap font + active content — CVE-2023-26369 related info PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.abecbrasil.org.br In PDF document text
- http://www.editorafi.orgIn PDF document text
- http://sandrapesavento.org/PDF link annotation
- http://www.academia.org.br/abl/cgi/cgilua.exe/sys/start.htm?infoid=390&sid=295In PDF document text
- http://www.revistadehistoria.com.br/secao/capa/em-In PDF document text
- http://www.ihgrgs.org.br/In PDF document text
- http://www.fundacaoastrojildo.com.br/index.php/genero-e-etnia/1224-In PDF document text
- http://www2.portoalegre.rs.gov.br/cgi-bin/nph-In PDF document text
- http://www2.portoalegre.rs.gov.br/spm/default.php?p_secao=205In PDF document text
- http://www.vitruvius.com.br/revistas/read/In PDF document text
- https://creativecommons.org/licenses/by/4.0/deed.pt_BRIn PDF document text
- http://www.ufrgs.br/gthistoriaculturalrs/In PDF document text
- http://cpdoc.fgv.br/producao/dossies/AEraVargas2/artigos/AlemDaViIn PDF document text
- https://www.ufmg.br/rededemuseus/crch/simposio/GOLIN_LUIZ_In PDF document text
- http://pib.socioambiental.org/pt/c/politicas-indigenistas/orgao-In PDF document text
- http://www.cairn.info/revue-hermes-la-revue-2001-1-In PDF document text
- http://www.youtube.com/watch?v=fIrnFrDXjlkIn PDF document text
- http://www.metmuseum.org/toah/works-of-art/1970.534/In PDF document text
- https://en.wikipedia.org/wiki/Dance_(Matisse)#/media/File:La_danse_(I)_by_Matisse.jpgIn PDF document text
- https://en.wikipedia.org/wiki/Music_(Matisse)#/media/File:Matisse_-_Music.jpgIn PDF document text
- https://www.wikiart.org/en/pablo-picasso/dance-of-the-veils-1907In PDF document text
- http://www.iec.chIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://ns.adobe.com/photoshop/1.0/In PDF document text
- http://ns.adobe.com/tiff/1.0/In PDF document text
- http://ns.adobe.com/exif/1.0/In PDF document text
- http://www.microsoft.com/typography/fontshttp://www.carterandcone.comMicrosoftIn PDF document text
- http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
- http://www.microsoft.com/typography/0In PDF document text
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_196_off0033579b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x33579B | 94008 bytes |
SHA-256: 91cae34f93637f3488ee8493cf02310bc5f5e0f94176f9ce36baef46ea529e3b |
|||
stream_198_off00346040.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x346040 | 174460 bytes |
SHA-256: 3c0454ad12f8b37ac41cd3710b38d931f70d8e9c0440ad13a20c4d515e4e3a23 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.