PDF static analysis report

Static analysis result for SHA-256 6c01f6f0fdb7af0e…

CLEAN

PDF

340.1 KB First seen: 2020-02-04
MD5: 27e094b8ba6648b981a8720da7f3fec8 SHA-1: fa7f738cc1d097f3c60dd0180b6380dbc7c3583a SHA-256: 6c01f6f0fdb7af0e81209439861895dd6367bffc3baa1ec8c33c030f0986d5fb
6 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains heuristics indicating it is related to CVE-2023-26369, a known vulnerability for client execution. It also contains an external URI, https://scnv.io/scrweb, which is likely used to download and execute a secondary payload. The document body was unreadable, but the exploit and external URL strongly suggest a malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 3

  • TrueType bitmap font + active content — CVE-2023-26369 related info CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://scnv.io/scrweb PDF link annotation
    • http://www.microsoft.com/typography/ctfontshttp://www.fonts.comMicrosoftIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://www.c-and-g.co.jpMicrosoftIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off0000d54b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD54B 105356 bytes
SHA-256: 9d4ee1cba1efc6e62e5579731db9f02d01ee60e62aee24e37c270bf83ec80a3c
stream_012_off000176ee.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x176EE 261104 bytes
SHA-256: 38a3bf92203eb3380a3cd5ad3ef09d2910b74d93cf7e4db0daf52fada3c596b2
stream_014_off0002a3d6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A3D6 493656 bytes
SHA-256: 056e841e42d796baced73f42e5dab1248681cfd5291e1d9c544f7c511ae42bae