Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f97874f8f203552…

MALICIOUS

PDF

3.16 MB Created: 2015-10-22 14:24:35 +03:00 Authoring application: Microsoft® Office Word 2007
MD5: e531ec12fb3b07eeca63667a9987a4c3 SHA-1: c2d8d53138de94ee8f1b49e18bd743043d91210c SHA-256: 4f97874f8f203552f3ab3b3b9df5e8b0b7e1bef5b42e4089a020e8e0575435c0
68 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link T1204.002 Malicious App

The PDF file exhibits characteristics indicative of exploitation, specifically the 'PDF_CVE_2023_26369_RELATED' heuristic firing, suggesting an attempt to leverage a known vulnerability. The presence of an external URI and a high stream count further supports this. While no scripts were extracted, the PDF structure and heuristics point towards a malicious document designed to exploit a vulnerability, likely for payload delivery.

Machine Learning

  • Nyx PDF Classifier clean score 0.0028

Heuristics 4

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • External URI low PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.color.org
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_200_off0028c9a6.bin
32420715fab74ee5104e8ed51cf3d9cb44cf77116c24541571eceadef46d1d4c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x28C9A6 199432 bytes
stream_204_off002b23f3.bin
393cecdbedaff376afb5ab12330d7854fd0193fbf23ce0017f5bcb47ba59781a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2B23F3 273124 bytes
stream_205_off002c4bcc.bin
2fbd7df6bdb03301a93886ec4fd0b73cfdbb6038b0fd2529340e94ac6f859129		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2C4BCC 279560 bytes
stream_206_off002d7671.bin
de6ebce8190ca80fc2022134a4de62f302db8e7c5cf1313789b6998a704ad759		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D7671 182388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.