Malicious PDF — malware analysis report

Static analysis result for SHA-256 60c99b2eef7989d0…

MALICIOUS

PDF

187.5 KB Created: 2017-03-24 12:13:53 +01:00 Authoring application: RAD PDF (via RAD PDF 2.38.0.0 - http://www.radpdf.com)
MD5: 174b6114e9bdfbc58b060e9c3fd1d9fa SHA-1: 74afead27709617fc8e1b7b2bfe75effd4e69fbd SHA-256: 60c99b2eef7989d06def7d63c31eb991f1988f980e4e2d2537ea46a4d1d02873
260 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF document is designed as a lure, presenting itself as a benign file but containing embedded JavaScript that exploits CVE-2023-26369. The embedded JavaScript and repeated invisible links direct the user to a malicious URL, http://www.mumbasagluna.ga/wp-content/uploads/2015/03/.site1/~public_html/_geoZone/-favicon/index.aspx/.CroxHM92.csp&98G&OutLk.jsp.php?url=https://mail.outlook.com?svr=02872, which is likely intended to download and execute a second-stage payload. The use of a URL shortener (ow.ly) further obfuscates the final destination.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9448

Heuristics 7

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Image-only PDF lure links through URL shortener high PDF_IMAGE_LURE_SHORTENER_LINK
    PDF is image-heavy with little real text and its clickable action points to a URL shortener. This is a high-confidence credential-phishing carrier shape: the visible page is a screenshot-like prompt while the destination is hidden behind redirect infrastructure.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 187 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.mumbasagluna.ga/wp-content/uploads/2015/03/.site1/~public_html/_geoZone/-favicon/index.aspx/.CroxHM92.csp&98G&OutLk.jsp.php?url=https://mail.outlook.com?svr=02872
    • http://yukikondo.jp/wp-admin/pdf/index.php
    • https://fsdressbd.com/js/adobe_pdf/index.php
    • http://jagdambadigital.com/wp-includes/Adobe/form/index.html
    • http://gyansthalibhadeja.org/images/includes/pdf/index.php
    • http://www.mlsi.org/cp-west/NAVER/pdfview/index.html
    • http://govino2017.govino.com.au/trade/A/index.php
    • http://www.smkn1muaraenim.sch.id/link/go/BestPdf/index.php
    • http://smkn1muaraenim.sch.id/link/go/BestPdf/index.php
    • http://parkerg8.5gbfree.com/iiiiiii/index.php
    • http://www.radpdf.com
    • http://www.radpdf.com)/Author(Secured
    • http://www.dynaforms.com
    • http://ow.ly/f23930eQ1U3
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoft
    • http://en.wikipedia.org/wiki/MIT_License
    • http://www.microsoft.com/typography/fonts/default.aspx
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@
    • http://www.microsoft.com/Typography/0

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c9d4.bin
3919491c16b6921682e0e7c056c55189829f97da5c68f90c415a2a464cb19c21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9D4 329128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.