MALICIOUS
282
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.001 PowerShell
This PDF file contains embedded JavaScript and is associated with CVE-2023-26369, indicating it's designed to exploit a vulnerability. The embedded script likely facilitates the download and execution of a second-stage payload from the external URI 'http://deltafirst-sa.com/wp-package/AO3dI/'. The presence of XFA heap spray and JS exploit cluster heuristics further supports this attack vector.
Machine Learning
- Nyx PDF Classifier malicious score 0.9062
Heuristics 8
-
TrueType bitmap font + active content — CVE-2023-26369 related high PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAYPDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
ClamAV: Pdf.Dropper.Agent-7252500-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-7252500-0
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://deltafirst-sa.com/wp-package/AO3dI/
- http://mirror1.convertonlinefree.com
- http://www.microsoft.com/downloads/en/details.aspx?FamilyID=ab99342f-5d1a-413d-8319-81da479ab0d7
- http://go.microsoft.com/fwlink/?LinkID=149156&v=4.0.50826.0
- http://go.microsoft.com/fwlink/?LinkId=161376
- http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYou
- http://www.microsoft.com/typography/fonts/default.aspx
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
- http://www.microsoft.com/Typography/0
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_003_off0000801b.binf3bf9704ae1a1b01d6eaba8c4203245dfddd8957cdd25f52cca46afe823164ba |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x801B | 173484 bytes |
embedded_pdf_script_0001bb02.bind12930a303295c0d210edb6e94fc67e6b84449edde6d09eedc1746a4340e2c4c |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x1BB02 | 161517 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.