Malicious PDF — malware analysis report

Static analysis result for SHA-256 834c3a0de77051d9…

MALICIOUS

PDF

1.74 MB Created: 2008-02-27 15:10:56 +05:30 Authoring application: Adobe Designer 7.0
MD5: 70dde44d2cd2449cc40e5fccbbbcb8ba SHA-1: 53adb3012109f2d56a214b464cb3e66662f7ffbe SHA-256: 834c3a0de77051d9d8918a6d9d0014d36f7a93a71d3bb7c1fb544cd636cd8f70
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

This PDF document exhibits characteristics of a malicious invoice lure, indicated by the 'SE_INVOICE_LURE' heuristic. It contains embedded JavaScript and an XFA form with executable script, suggesting an attempt to exploit vulnerabilities or deliver a payload. The presence of CVE-2023-26369 related indicators further points to exploitability. The embedded script likely attempts to download and execute a second-stage payload from the suspicious URL.

Heuristics 11

  • XFA form contains executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose dataset contains a <script> or <xfa:script> block — XFA scripting has been the exploit primitive for several Adobe Reader RCEs (CVE-2010-0188 family, CVE-2018-4901, and others). Plain XFA without scripts is far less risky.
  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://83.244.140.55/pd/ExternalPortal-Registration-context-root/RegistrationService
    • http://oracle.j2ee.ws/ejb/epws:getRegistrationRandomNumber
    • http://oracle.j2ee.ws/ejb/epws:getRegistrationRandomNumberResponse
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.2/
    • http://www.xfa.org/schema/xfa-template/2.1/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.w3.org/2000/10/XMLSchema-instance
    • https://services.mhra.gov.uk/pd/ExternalPortal-Registration-context-root/RegistrationService
    • http://www.opsi.gov.uk
    • http://crl.adobe.com/prodSvce.crl0
    • https://www.adobe.com/misc/pki/prod_svce_cp\
    • http://crl.adobe.com/cds.crl0���~�|�z0x1

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0176.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 176 at offset 0x8891B 85 bytes
embedded_file_obj0177.bin
afd3d21a3e5d6bce106fef8dcd911a836cb1e1c7d7ac8be56d9b81b0cadfd794		 pdf-embedded-file PDF EmbeddedFile object 177 at offset 0x889CE 1693 bytes
embedded_file_obj0178.bin
ce633c1ccf6b162f34562d09d21e51c4dfc3f9823fef9f3e02b610dc984f8f4f		 pdf-embedded-file PDF EmbeddedFile object 178 at offset 0x88CDE 819619 bytes
embedded_file_obj0179.bin
01163534ef20fa78a0cb9b0fdffe8e07465266af335788d3d45b6c8ae3f5859b		 pdf-embedded-file PDF EmbeddedFile object 179 at offset 0xA1921 2610 bytes
embedded_file_obj0180.bin
1129d0a37f5adec1e25975fb1a5c7d88c3e943791c0c701a479c42f7c8dc748b		 pdf-embedded-file PDF EmbeddedFile object 180 at offset 0xA1C31 2227 bytes
embedded_file_obj0181.bin
57045217c453d4674a08ad8778674bf199a7989a9505424a1815c016e6bb412f		 pdf-embedded-file PDF EmbeddedFile object 181 at offset 0xA1F12 212 bytes
embedded_file_obj0182.bin
7e72487d78685d082d9fafdde99b310206f6adec2d5d1720432e3fecc757dae4		 pdf-embedded-file PDF EmbeddedFile object 182 at offset 0xA200A 709 bytes
embedded_file_obj0183.bin
a60265344cf1a9e94da34c8f587f64a4297e2fa417c895852209903ab7588bcc		 pdf-embedded-file PDF EmbeddedFile object 183 at offset 0xA21EE 85 bytes
embedded_file_obj0277.bin
f7de56ab5d864e3566c043c4768f885fc4e9fa6fd58a63f666672fec43e7c91a		 pdf-embedded-file PDF EmbeddedFile object 277 at offset 0x1A505A 1812 bytes
embedded_file_obj0278.bin
9606a8dba72491083f05ea989c9ffb52f62064c497be429b0643fc65e41881a3		 pdf-embedded-file PDF EmbeddedFile object 278 at offset 0x1A537B 824532 bytes
embedded_file_obj0279.bin
87088d5b66a2284f233c903dff53dcc7966aecd3415b4475d3c0304b1fd90211		 pdf-embedded-file PDF EmbeddedFile object 279 at offset 0x1BE04D 2773 bytes
javascript_obj0168_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 168 at offset 0x88194 870 bytes
javascript_obj0170_001.js
4e139c8b22ec16bd5aa51575c80dec2bbf89b76977a06b68473031a0eb206366		 pdf-javascript-stream PDF /JS object 170 at offset 0x8831B 2794 bytes
javascript_obj0172_002.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 172 at offset 0x8860D 1528 bytes
stream_000_off00000908.bin
3463cb6a96f307e7e3d7300dfb47d1a354c957c464dadd2539dcb8dc271d2635		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x908 293120 bytes
stream_001_off0002be69.bin
4735e29f6b4dfaae31ceba3a66c7548a579b3b0ad8f9ec68bc6e90b0597d7de3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2BE69 308015 bytes
embedded_pdf_script_000d9d4c.bin
07088bce4d7103ae9975a8989483d75a1a5da3f060ebda790100db9f67272275		 pdf-embedded-script PDF raw stream script payload at offset 0xD9D4C 818647 bytes
font_02_cff_off0005ac9c.bin
96161e3d15cf67591ef2a1c87940c8dc0af59a94fcfab5d6bfcf4cb992a24af8		 pdf-font-stream PDF embedded font (cff) at offset 0x5AC9C 64586 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_03_sfnt_off0007a28f.bin
5307dc3c5cbbab680f4279aafe69695752d4852ea0f86503bf88000f1c160311		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A28F 57775 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.