Malicious PDF — malware analysis report

Static analysis result for SHA-256 499037b718af709d…

MALICIOUS

PDF

17.22 MB Created: 2025-03-26 17:02:00 -04:00 Authoring application: PDFsharp 1.50.4740 (www.pdfsharp.com) First seen: 2025-08-04
MD5: 3eafede36055a8c8938526160f676fce SHA-1: 04cf431d63ad86310a38f5ecff5df17a4465e393 SHA-256: 499037b718af709d8abe450313d0e885d58955a16070ea73d121fae68322895a
214 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The PDF file contains embedded JavaScript and exhibits characteristics associated with CVE-2023-26369, indicating it's designed to exploit vulnerabilities. The presence of advance-fee scam lures, combined with the technical indicators, strongly suggests a malicious intent to defraud the user. No specific scripts were extracted for detailed analysis, but the overall structure points to a delivery mechanism for a scam.

Machine Learning

  • Nyx PDF Classifier clean score 0.0449

Heuristics 10

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.morriscountynj.gov/Home
    • https://www.morriscountynj.gov/Departments
    • https://www.morriscountynj.gov/Departments/Prosecutor/About-Us
    • https://www.morriscountynj.gov/Departments/Prosecutor

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
jbig2_00_off00392c02.bin
07d8ebd01be2d5fa3c2aa89d73a73f2da05edd2668db3e213d440a4f1f77845d		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x392C02 3774 bytes
jbig2_01_off00393fe1.bin
f04b056019533d690f8e47a0bca381a987684c67cb5e4dad1e045137f0782c2f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x393FE1 16685 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_02_off00398c7b.bin
077d114a7404d28617be800f7329580ea52f327c18a12707eaef3ab85cc984f5		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x398C7B 7070 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
jbig2_03_off0039afb5.bin
37e701bc237cc0272c0586db8656a0261cfcb8d02a209cf406130e04339243f3		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x39AFB5 8628 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_04_off0039daf1.bin
392335782d7b43dabfdf88f5edba4cbbe90e2894db63ff51d0627a9964c5c044		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x39DAF1 34941 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_05_off003a7c5a.bin
7c6351636369d1dc9b27588a0f64eb1c9e6c77cc6c471718956161735a6ed2ed		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3A7C5A 15960 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_06_off003ac875.bin
b086a119310c777e8778928cf4bdb17971885a0a81169e00790eb2dac2ee351b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3AC875 16647 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_07_off003b1913.bin
92184067a78764318c5d8960ad9de6206033804da55742e0523e67a0d941e97f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3B1913 20778 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_08_off003b7b64.bin
dad6564374ab6c39859b56ea8381501c1a0ec439239acbbc197ea5730db2ba08		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3B7B64 3093 bytes
jbig2_09_off003b8d14.bin
84beb83a9ec813eda0e7407011b5cb305b2be5f197136f42627cbc6c9b2d64ef		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3B8D14 34306 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
jbig2_10_off003c2e5a.bin
046c88047e1345e384ff6ebce3a2a3952b79bc5c29055a5af645be09b85d4d18		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3C2E5A 9839 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_11_off003c5f40.bin
a10ef61f0d2d304068817bfb7999406e06254c34c26375b42e97d2e2bc7ff2d1		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3C5F40 16588 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_12_off003caea2.bin
1085d2ea1267f153e1d697093534e557600876a8e602027aef7c49e215bce49b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3CAEA2 3265 bytes
jbig2_13_off003cc07d.bin
5cf5d96d5d2ebd086aa5d1ce21ca17de2edb44ef0b0b8a38a717a1fe7c332ad4		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3CC07D 28222 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_14_off003d44a1.bin
0bee46dbb09ca8be95139402801325d258782c071831ab51fcf5163e1109b6dc		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3D44A1 25765 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_15_off003dbc26.bin
09d52d8b9678c28d29be548a0cf7cd236b53bcdd0c1f5e18838e4e71043bf677		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3DBC26 29857 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_16_off003e4874.bin
598b525fa1800cf35caad0505cb988983b365d5a1aa76a1f791c83357775efee		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3E4874 29801 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_17_off003ed485.bin
f079b2311f864918f0b012682b98bed8a823129b8a8c56cc5e31fe92754be236		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3ED485 17017 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_18_off003f2487.bin
c0c02b32bd9898063a7be8409405ae573949c8fcf214943a69a5306e4d112d10		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3F2487 30286 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_19_off003fb324.bin
9c865de87fb7043155fae008cc6ca99b5f866a50c347380fbbf7f7da2d1ba333		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3FB324 25356 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_20_off00402ab1.bin
7e9218c4fd0d832b03ae7e56aca5aefc808bb84c0b81d830f29cfc3b09df19e2		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x402AB1 19880 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_21_off00408888.bin
cfdaeff053a9c22bf478654316a0d966037dd4f35477f8a04082451b9db5a790		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x408888 8357 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_22_off0040b16b.bin
bd44155d25b65a05ad3326a477d4091961a7073df3c9789b091ba025177a9b86		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x40B16B 3367 bytes
jbig2_23_off0040c40e.bin
e2fc729c962a8f95b9b9f4f98d306be6528760c4f56ffb5a051d0fbb710d2112		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x40C40E 23918 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_24_off00413441.bin
76253af3d0c5cc963c3d13dadea36887e4483ea4a7930815f56a1dfe52c2b7d3		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x413441 5366 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
jbig2_25_off00414fab.bin
de182d97aa29604dd28fe0233d9ea720a072fd146cdd8239ab2096b67c222820		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x414FAB 8011 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_26_off004177c7.bin
5573be6434c14ccd1b20bd69f5b4299bd5cc8cc25e8fc3395d6605dcfae04b68		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4177C7 3474 bytes
jbig2_27_off00418b2a.bin
b457a34b4525588fdb8dd5e6e83dd91dae0a4be656fae17c7a59eb3d8216546a		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x418B2A 25982 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_28_off004204e3.bin
456919db8bbd7945b94c3337bd61a09f2d47dea958e58942d753f49bf05330aa		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4204E3 31445 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_29_off0042973d.bin
e3ed0c65d20bb83581056e1b9aed7984ded8d869b0f340e860cf6c23bb18c35e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x42973D 18702 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_30_off0042f0cb.bin
a9e41928536e7b8e8865dabd0f2851491cd726e4ebafc63d43e92f787d0b0cab		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x42F0CB 22991 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_31_off00435c51.bin
686eef35fc12f5dcdd02a2779f5a8c45e7ad16ed1e314404ba0d8479bb15705a		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x435C51 32571 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.