Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e15ad784556fbf7…

MALICIOUS

PDF

631.5 KB
MD5: 8f1af5ab01c7e156eceb9438f76410f3 SHA-1: 316462e6584ae09cdd0961e83a1b1e85346b45b9 SHA-256: 5e15ad784556fbf73129c7171b0fcb40ab265727ff24caa7f021c364dc2cb902
156 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains multiple embedded JavaScript streams and XFA form elements, indicating an attempt to exploit vulnerabilities. Heuristics suggest this is related to CVE-2023-26369, a known PDF vulnerability. The embedded JavaScript is likely responsible for downloading and executing a secondary payload, as evidenced by the 'PDF_JS_EXPLOIT_CLUSTER' and 'PDF_EMBEDDED_SCRIPT_PAYLOAD' firings.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2668

Heuristics 9

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype
    • http://ocsp.verisign.com0
    • http://www.adobe.com/go/reader_download
    • http://www.adobe.com/go/acrreader
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://www.xfa.org/schema/xci/3.0/
    • http://www.xfa.org/schema/xfa-template/3.0/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-template/2.8/\
    • http://www.w3.org/1999/xhtml\
    • http://www.xfa.org/schema/xfa-data/1.0/\
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-connection-set/2.8/
    • http://www.bde.es/IntDescExc
    • http://ns.adobe.com/data-description/
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.microsoft.com/typography
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
    • http://cgi.adobe.com/special/acrobat/update
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • http://logo.verisign.com/vslogo.gif0
    • http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
    • http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
    • https://www.verisign.com/cps0*
    • http://logo.verisign.com/vslogo.gif04
    • http://crl.verisign.com/pca3-g5.crl04
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.html

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000121.js
dce7f7ebf6612f0dbc0daf4a7468618c8c43cb1f9d11990a67d193ae6773fda0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x121 2568 bytes
stream_002_off00000511.js
d0474e9e899b32fa82ad0af875d29297823535a0fc0462d5cf9d248952d37138		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x511 323976 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
stream_003_off000164f1.bin
984e33597cee6a139b4eb9668deb8ae3fd023cb2f29b1dac2e77dd6be0d9a93d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x164F1 2893 bytes
stream_005_off00016a94.bin
c33fb1ac7109889c7c4b9c859e851de7c5d7b479cf91705d24a8792a803323cf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16A94 332 bytes
stream_006_off00016bbc.bin
2fbf41b1a2bb21ba187129af7950b6347366ab56e78cf501248c1eb8f0960703		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16BBC 5523 bytes
stream_010_off00066471.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x66471 367087 bytes
stream_012_off0009acd3.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9ACD3 1363 bytes
stream_013_off0009aeb1.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9AEB1 902 bytes
objstm_0013_00.bin
57b13bfa12ee6c264fd8fa414b8686696bc052252f08d22895b85f753c0d3566		 pdf-objstm-decoded PDF /ObjStm 13 0 obj (inflated) 14639 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_sfnt_off00017022.bin
bb2941ec4287d456b111082246b159a552fabcbd95c93efecdf11c9146f57370		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17022 96552 bytes
font_01_sfnt_off00027474.bin
b8a01f1bf52ef962d6ee77e0a9299704d38617565ea12f2a6dc7a39cdb0062eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27474 98046 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.