PDF static analysis report

Static analysis result for SHA-256 66e0a4323eeaccaa…

CLEAN

PDF

6.87 MB Created: 2014-04-28 09:40:20 +02:00 Authoring application: Microsoft® Word 2013 First seen: 2020-09-04
MD5: c0a8c87a215563d2dd31897fdf427dc9 SHA-1: 20b0aa26df6596b7a8b44118ef8439e4cd7875cf SHA-256: 66e0a4323eeaccaa0c8bcb82883ec0432a3a49bdfc9c0b521bc7d5e3004d7c7c
6 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF document exhibiting characteristics related to CVE-2023-26369, a vulnerability known to allow for arbitrary code execution. It also contains an external URI, suggesting a potential download or redirection to a malicious resource. The document body is heavily obfuscated and unreadable, preventing further analysis of its specific lure.

Machine Learning

  • Nyx PDF Classifier clean score 0.0110

Heuristics 3

  • TrueType bitmap font + active content — CVE-2023-26369 related info CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.developpement-durable.gouv.fr/Quels-sont-les-nouveaux-tarifs-d.html In PDF document text
    • http://www.hespul.org/IMG/pdf/contribution_Hespul_1201.pdfIn PDF document text
    • http://www.enr.fr/docs/2010155845_FichessolairePVintegralemai2010.pdfIn PDF document text
    • http://www.enf.cn/fr/database/installers-In PDF document text
    • http://www.panneaux-solaires-france.com/devis-panneaux-solairesIn PDF document text
    • https://www.formulaires.modernisation.gouv.fr/gf/cerfa_13404.doIn PDF document text
    • http://www.developpement-durable.gouv.fr/Site-PLU-Temoins.htmlIn PDF document text
    • http://www.photovoltaique.info/Les-parcs-photovoltaiques-au-sol.html#TableauxrcapitulatifsIn PDF document text
    • http://www.developpement-durable.gouv.fr/Photovoltaique-un-guide-pour.htmlIn PDF document text
    • http://www.photovoltaique.info/Catalogue-des-grands-systemes.htmlIn PDF document text
    • http://www.photovoltaique.info/Fiscalite,97.htmlIn PDF document text
    • http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=8E3A74F6276179005126C8DF9F00In PDF document text
    • http://www.cre.fr/documents/appels-d-offres/appel-d-offres-portant-sur-des-installations-eoliennes-de-In PDF document text
    • http://www.bordeaux-In PDF document text
    • http://www.littoral-normand-picard.cci.frIn PDF document text
    • http://anr-symbiose.orgIn PDF document text
    • http://atee.fr/biogazIn PDF document text
    • http://www.installationsclassees.developpement-durable.gouv.fr/In PDF document text
    • http://www.developpement-durable.gouv.fr/-Certificats-d-economies-d-energie,188-.htmlIn PDF document text
    • http://www.enr.fr/gene/main.php?base=312In PDF document text
    • http://www.biogaz.atee.frIn PDF document text
    • http://anabf.archi.fr/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/photoshop/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://www.gettyimages.comIn PDF document text
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
    • http://ns.adobe.com/illustrator/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
    • http://ns.adobe.com/xap/1.0/g/In PDF document text
    • http://www.ecocitoyens.ademe.fr/PDF link annotation
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_187_off003c3a87.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3C3A87 255088 bytes
SHA-256: a1ca7604cdf0a4deea4b3076430388824571836c96c8c883b3ba1bf3a65bf3e0
stream_188_off003e2d86.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E2D86 273536 bytes
SHA-256: 87e92fafa3ec6b9d857af38cdc532c55e516438bcc2184b98123a778970e925d
stream_193_off0045576d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x45576D 244232 bytes
SHA-256: 1d6677d6996ef365cf9aa6152c508b70d8c82726eb1e713e691f3a645fd2d7d0
font_00_cff_off006da905.bin pdf-font-stream PDF embedded font (cff) at offset 0x6DA905 1307 bytes
SHA-256: 58a010568846f84c1d79d89a751bf4352243144f8c10ee5099257e68d3bcb4ec
font_01_cff_off006db09a.bin pdf-font-stream PDF embedded font (cff) at offset 0x6DB09A 1198 bytes
SHA-256: ea986255df52e7faac67f091678de126aeb5f9798ce95913ace32e975a4b9932
font_02_cff_off006db7f3.bin pdf-font-stream PDF embedded font (cff) at offset 0x6DB7F3 1460 bytes
SHA-256: 475b9ab88686c6f9f97ef9ac3e85c5f31ab399d8e37f7ef7c02a82b02d864c14