PDF malware analysis — malicious · 7ab5af56b587588d

MALICIOUS

PDF

642.3 KB

MD5: 534522f980282c31785930d291104fbf SHA-1: 922c68dc7315bb247339cd68e6bb036ae8fe0c0c SHA-256: 7ab5af56b587588d81ee3da37d50d07748e428b8ba7eed6410358d2eb3da5aa7

102 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell T1059.003 Windows Command and Shell T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and is flagged as related to CVE-2023-26369, indicating it's likely an exploit document. The embedded JavaScript stream (stream_002_off00000511.js) is highly suspicious and probably responsible for downloading and executing a secondary payload. The presence of embedded files and XFA forms further supports the malicious nature of this document.

Heuristics 9

TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED

PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xfa/promoted-desc/
- http://www.adobe.com/products/acrobat/readstep2.html
- http://www.adobe.com/suppor\

Extracted artifacts 14

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0077.bin` `5e3f60e2bb2d080b3200d4ffe0e8185c8a0e4f00a0aa40f63e3a52edc8308900`	pdf-embedded-file	PDF EmbeddedFile object 77 at offset 0x9ECE1	8296 bytes
`embedded_file_obj0109.bin` `c032824d9b04753bd5d8f7dd4b59469a94470ffc86127995c74d17d25b1cbcef`	pdf-embedded-file	PDF EmbeddedFile object 109 at offset 0x9F795	162 bytes
`embedded_file_obj0110.bin` `c0459c5a06b9743dab178698d038c3a52ce9de6a43c8528612f1534d0e38ad65`	pdf-embedded-file	PDF EmbeddedFile object 110 at offset 0x9F888	25115 bytes
`stream_001_off00000122.js` `654930abd1897fbdd571fb1cd162a706fa3ef255e52d25ba6d68078cf44815b4`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x122	2550 bytes
`stream_002_off00000511.js` `52ab6f58c71b50988b0ac1088494687d67a27cdf2109e3541e84f033379d1a36`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x511	322727 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
`stream_003_off00016412.bin` `984e33597cee6a139b4eb9668deb8ae3fd023cb2f29b1dac2e77dd6be0d9a93d`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x16412	2893 bytes
`stream_005_off000169b4.bin` `36ab3c7d4b747eee0de0d789230a35892487c262dddf70e16382d374eebb246e`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x169B4	382 bytes
`stream_006_off00016af9.bin` `4bc72bfba3b758008fd6db4cb32a57bb859ad78f238af9c6dbe5806548ee2ae7`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x16AF9	6836 bytes
`stream_010_off00066279.bin` `b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x66279	367087 bytes
`stream_012_off0009aada.js` `529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x9AADA	1363 bytes
`stream_013_off0009acb8.js` `e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x9ACB8	902 bytes
`objstm_0013_00.bin` `da0e75d773909ae118d275df8727a5d6152b94fa96d37283db9d67452d5c60f1`	pdf-objstm-decoded	PDF /ObjStm 13 0 obj (inflated)	14639 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 long base64-like blob(s).
`font_00_sfnt_off00016e2a.bin` `bb2941ec4287d456b111082246b159a552fabcbd95c93efecdf11c9146f57370`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16E2A	96552 bytes
`font_01_sfnt_off0002727c.bin` `b8a01f1bf52ef962d6ee77e0a9299704d38617565ea12f2a6dc7a39cdb0062eb`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x2727C	98046 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.