CLEAN
6
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains heuristics indicating it is related to CVE-2023-26369, a known vulnerability for client execution. It also contains an external URI, https://scnv.io/scrweb, which is likely used to download and execute a secondary payload. The document body was unreadable, but the exploit and external URL strongly suggest a malicious intent.
Machine Learning
- Nyx PDF Classifier clean score 0.0002
Heuristics 3
-
TrueType bitmap font + active content — CVE-2023-26369 related info PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://scnv.io/scrweb PDF link annotation
- http://www.microsoft.com/typography/ctfontshttp://www.fonts.comMicrosoftIn PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
- http://www.microsoft.com/typography/ctfontshttp://www.c-and-g.co.jpMicrosoftIn PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_011_off0000d54b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xD54B | 105356 bytes |
SHA-256: 9d4ee1cba1efc6e62e5579731db9f02d01ee60e62aee24e37c270bf83ec80a3c |
|||
stream_012_off000176ee.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x176EE | 261104 bytes |
SHA-256: 38a3bf92203eb3380a3cd5ad3ef09d2910b74d93cf7e4db0daf52fada3c596b2 |
|||
stream_014_off0002a3d6.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2A3D6 | 493656 bytes |
SHA-256: 056e841e42d796baced73f42e5dab1248681cfd5291e1d9c544f7c511ae42bae |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.