Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f6511ae224a6051…

MALICIOUS

PDF

145.6 KB Created: 2018-09-26 08:41:07 -04:00 Authoring application: Microsoft® Word 2016
MD5: b10bd48f694999c947056e97d888e4de SHA-1: b090d1805461a1df3276fb2dbab6981dba21dcc1 SHA-256: 2f6511ae224a6051ccf056d746146fcdc5f051fe15d9e0dbf7cd1128533cbf97
148 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded JavaScript and a heuristic firing indicates it is related to CVE-2023-26369. It also impersonates a cloud document lure, directing the user to click on a shortened URL. The presence of embedded JavaScript and the CVE-related heuristic suggest an attempt to exploit vulnerabilities or deliver a malicious payload. The shortened URLs, while currently marked as benign, are the primary user-interaction vector for this phishing attempt.

Heuristics 6

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • ClamAV: Pdf.Phishing.CWS497388d5-9899792-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.CWS497388d5-9899792-0
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bit.ly/2N9bEdy
    • https://bit.ly/2wELmp9
    • https://bit.ly/2xodhtB
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00019fdd.bin
bc811b3cca8806e54e2f552126e50bddcb763cc43e3a9204b935d401dce7b759		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19FDD 55112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.