Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e3f938ab3b18793…

MALICIOUS

PDF

186.0 KB Created: 2016-06-21 09:20:13 UTC Authoring application: RAD PDF (via RAD PDF 2.38.3.1 - http://www.radpdf.com)
MD5: 4b167136c7fe8c85001c18da5b201449 SHA-1: c43f36b07cc988ec93dddf104e7f20058ca90e35 SHA-256: 2e3f938ab3b18793f95d3591b478c5fb67b2f8f5d847fffd4927dc61f84f2d1b
158 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript and utilizes a URL shortener, indicating an attempt to obfuscate the delivery of malicious content. The heuristic 'PDF_CVE_2023_26369_RELATED' strongly suggests exploitation of a known PDF vulnerability. The embedded URLs point to potentially compromised websites hosting further stages of the attack. The ClamAV detection as 'Pdf.Dropper.Agent-7244581-0' confirms its malicious nature as a dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6423

Heuristics 5

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • ClamAV: Pdf.Dropper.Agent-7244581-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7244581-0
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mjsbuilders.com/wp-includes/js/jcrop/daum/
    • http://ciamaaramados.com.br/druzzy/Order.pdf/Adobe%20File%20View.html
    • http://ciamaaramados.com.br/aka/
    • https://penielghana.org/wp-admin/user/druzzy/pdf/pdf/jk/index.htm
    • https://penielghana.org/wp-admin/user/Mancity/pdf/pdf/jk/index.htm
    • http://www.radpdf.com)/Creator(RAD
    • http://www.dynaforms.com
    • http://www.radpdf.com
    • http://tinyurl.com/zjgbpll
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off000012a3.bin
823b2df26334b0b984f300dc0581d8ec81b39087db1a5f0c6c625f9acc1a43a4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12A3 247488 bytes
stream_001_off00011c84.bin
b671e87d34e3a4891cd6295fe05fd78d853876dfae4cbbcbae599023d9f556fb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11C84 193824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.