CLEAN
6
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a PDF document exhibiting characteristics related to CVE-2023-26369, a vulnerability known to allow for arbitrary code execution. It also contains an external URI, suggesting a potential download or redirection to a malicious resource. The document body is heavily obfuscated and unreadable, preventing further analysis of its specific lure.
Machine Learning
- Nyx PDF Classifier clean score 0.0110
Heuristics 3
-
TrueType bitmap font + active content — CVE-2023-26369 related info PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.developpement-durable.gouv.fr/Quels-sont-les-nouveaux-tarifs-d.html In PDF document text
- http://www.hespul.org/IMG/pdf/contribution_Hespul_1201.pdfIn PDF document text
- http://www.enr.fr/docs/2010155845_FichessolairePVintegralemai2010.pdfIn PDF document text
- http://www.enf.cn/fr/database/installers-In PDF document text
- http://www.panneaux-solaires-france.com/devis-panneaux-solairesIn PDF document text
- https://www.formulaires.modernisation.gouv.fr/gf/cerfa_13404.doIn PDF document text
- http://www.developpement-durable.gouv.fr/Site-PLU-Temoins.htmlIn PDF document text
- http://www.photovoltaique.info/Les-parcs-photovoltaiques-au-sol.html#TableauxrcapitulatifsIn PDF document text
- http://www.developpement-durable.gouv.fr/Photovoltaique-un-guide-pour.htmlIn PDF document text
- http://www.photovoltaique.info/Catalogue-des-grands-systemes.htmlIn PDF document text
- http://www.photovoltaique.info/Fiscalite,97.htmlIn PDF document text
- http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=8E3A74F6276179005126C8DF9F00In PDF document text
- http://www.cre.fr/documents/appels-d-offres/appel-d-offres-portant-sur-des-installations-eoliennes-de-In PDF document text
- http://www.bordeaux-In PDF document text
- http://www.littoral-normand-picard.cci.frIn PDF document text
- http://anr-symbiose.orgIn PDF document text
- http://atee.fr/biogazIn PDF document text
- http://www.installationsclassees.developpement-durable.gouv.fr/In PDF document text
- http://www.developpement-durable.gouv.fr/-Certificats-d-economies-d-energie,188-.htmlIn PDF document text
- http://www.enr.fr/gene/main.php?base=312In PDF document text
- http://www.biogaz.atee.frIn PDF document text
- http://anabf.archi.fr/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/photoshop/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://www.gettyimages.comIn PDF document text
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In PDF document text
- http://ns.adobe.com/illustrator/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/t/pg/In PDF document text
- http://ns.adobe.com/xap/1.0/sType/Dimensions#In PDF document text
- http://ns.adobe.com/xap/1.0/g/In PDF document text
- http://www.ecocitoyens.ademe.fr/PDF link annotation
- http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
- http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
- http://www.microsoft.com/typographyIn PDF document text
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_187_off003c3a87.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3C3A87 | 255088 bytes |
SHA-256: a1ca7604cdf0a4deea4b3076430388824571836c96c8c883b3ba1bf3a65bf3e0 |
|||
stream_188_off003e2d86.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3E2D86 | 273536 bytes |
SHA-256: 87e92fafa3ec6b9d857af38cdc532c55e516438bcc2184b98123a778970e925d |
|||
stream_193_off0045576d.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x45576D | 244232 bytes |
SHA-256: 1d6677d6996ef365cf9aa6152c508b70d8c82726eb1e713e691f3a645fd2d7d0 |
|||
font_00_cff_off006da905.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x6DA905 | 1307 bytes |
SHA-256: 58a010568846f84c1d79d89a751bf4352243144f8c10ee5099257e68d3bcb4ec |
|||
font_01_cff_off006db09a.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x6DB09A | 1198 bytes |
SHA-256: ea986255df52e7faac67f091678de126aeb5f9798ce95913ace32e975a4b9932 |
|||
font_02_cff_off006db7f3.bin |
pdf-font-stream | PDF embedded font (cff) at offset 0x6DB7F3 | 1460 bytes |
SHA-256: 475b9ab88686c6f9f97ef9ac3e85c5f31ab399d8e37f7ef7c02a82b02d864c14 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.