Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a21cb24fb258c9b…

MALICIOUS

PDF

631.4 KB
MD5: 2b48afe8fe47c00ad5f59fafc7b7462a SHA-1: 68ee2c127283be9d8af9dc72a43ebd7fbdfaf821 SHA-256: 6a21cb24fb258c9b54b0891637fd6896d1cdd3613c9174cd9067bfd1bee2805c
156 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains XFA forms and embedded JavaScript, which are indicators of exploitation. Specifically, the presence of PDF_CVE_2023_26369_RELATED heuristic suggests an exploit targeting this known vulnerability. The embedded JavaScript streams are likely responsible for executing malicious code, potentially downloading further payloads.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2668

Heuristics 9

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype
    • http://ocsp.verisign.com0
    • http://www.adobe.com/go/reader_download
    • http://www.adobe.com/go/acrreader
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://www.xfa.org/schema/xci/3.0/
    • http://www.xfa.org/schema/xfa-template/3.0/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-template/2.8/\
    • http://www.w3.org/1999/xhtml\
    • http://www.xfa.org/schema/xfa-data/1.0/\
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-connection-set/2.8/
    • http://www.bde.es/IntDescExc
    • http://ns.adobe.com/data-description/
    • https://www.verisign.com/rpa
    • http://ocsp.verisign.com/ocsp/status0
    • https://www.verisign.com/rpa0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
    • http://www.microsoft.com/typography
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.html
    • http://cgi.adobe.com/special/acrobat/update
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • http://logo.verisign.com/vslogo.gif0
    • http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
    • http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
    • https://www.verisign.com/cps0*
    • http://logo.verisign.com/vslogo.gif04
    • http://crl.verisign.com/pca3-g5.crl04
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.html

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000121.js
dce7f7ebf6612f0dbc0daf4a7468618c8c43cb1f9d11990a67d193ae6773fda0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x121 2568 bytes
stream_002_off00000511.js
d0474e9e899b32fa82ad0af875d29297823535a0fc0462d5cf9d248952d37138		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x511 323976 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
stream_003_off000164f1.bin
984e33597cee6a139b4eb9668deb8ae3fd023cb2f29b1dac2e77dd6be0d9a93d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x164F1 2893 bytes
stream_005_off00016a94.bin
c33fb1ac7109889c7c4b9c859e851de7c5d7b479cf91705d24a8792a803323cf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16A94 332 bytes
stream_006_off00016bbc.bin
974102283ae2fe2b228778ccf42bd5ff44ea251d604f9f32a5da1817816dfee3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16BBC 5491 bytes
stream_010_off00066442.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x66442 367087 bytes
stream_012_off0009aca4.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9ACA4 1363 bytes
stream_013_off0009ae82.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9AE82 902 bytes
objstm_0013_00.bin
57b13bfa12ee6c264fd8fa414b8686696bc052252f08d22895b85f753c0d3566		 pdf-objstm-decoded PDF /ObjStm 13 0 obj (inflated) 14639 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_sfnt_off00016ff3.bin
bb2941ec4287d456b111082246b159a552fabcbd95c93efecdf11c9146f57370		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16FF3 96552 bytes
font_01_sfnt_off00027445.bin
b8a01f1bf52ef962d6ee77e0a9299704d38617565ea12f2a6dc7a39cdb0062eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27445 98046 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.