PDF malware analysis — malicious · 1d5a0cd4dcec4484

MALICIOUS

PDF

631.4 KB

MD5: 962840f3fcad62ce931d363ff82d0486 SHA-1: 21ec009bc4390ff9a051bdf0a7d587a718d5142d SHA-256: 1d5a0cd4dcec44848d91c2a65d1e1f35b0b23b01f349cac3a8daa7d31d4c7992

94 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1059.007 JavaScript

The PDF file contains multiple embedded JavaScript streams and is flagged as related to CVE-2023-26369, indicating an exploit attempt. One of the embedded JavaScript streams, 'stream_002_off00000511.js', is particularly large and suspicious, suggesting it contains the primary malicious payload. The presence of 'PDF_EMBEDDED_SCRIPT_PAYLOAD' and 'PDF_JAVASCRIPT' heuristics further supports the execution of malicious scripts. The script likely downloads and executes a second-stage payload.

Heuristics 8

TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED

PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xfa/promoted-desc/

Extracted artifacts 11

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_001_off00000121.js` `dce7f7ebf6612f0dbc0daf4a7468618c8c43cb1f9d11990a67d193ae6773fda0`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x121	2568 bytes
`stream_002_off00000511.js` `d0474e9e899b32fa82ad0af875d29297823535a0fc0462d5cf9d248952d37138`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x511	323976 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
`stream_003_off000164f1.bin` `984e33597cee6a139b4eb9668deb8ae3fd023cb2f29b1dac2e77dd6be0d9a93d`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x164F1	2893 bytes
`stream_005_off00016a94.bin` `c33fb1ac7109889c7c4b9c859e851de7c5d7b479cf91705d24a8792a803323cf`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x16A94	332 bytes
`stream_006_off00016bbc.bin` `939f152daa46c79c47ea7ebe70ca026c16f473ca4e17dfbf194c58cff4a43e7c`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x16BBC	5494 bytes
`stream_010_off00066449.bin` `b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x66449	367087 bytes
`stream_012_off0009acab.js` `529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x9ACAB	1363 bytes
`stream_013_off0009ae89.js` `e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x9AE89	902 bytes
`objstm_0013_00.bin` `57b13bfa12ee6c264fd8fa414b8686696bc052252f08d22895b85f753c0d3566`	pdf-objstm-decoded	PDF /ObjStm 13 0 obj (inflated)	14639 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
`font_00_sfnt_off00016ffa.bin` `bb2941ec4287d456b111082246b159a552fabcbd95c93efecdf11c9146f57370`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16FFA	96552 bytes
`font_01_sfnt_off0002744c.bin` `b8a01f1bf52ef962d6ee77e0a9299704d38617565ea12f2a6dc7a39cdb0062eb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2744C	98046 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.