CLEAN
6
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains heuristics indicating it is related to CVE-2023-26369, a known vulnerability that can lead to arbitrary code execution. It also contains an embedded URL pointing to 'www.atastrongma.com', which is likely used to download a secondary payload. The combination of the CVE relation and the external URL strongly suggests an exploit delivery mechanism.
Machine Learning
- Nyx PDF Classifier clean score 0.0003
Heuristics 3
-
TrueType bitmap font + active content — CVE-2023-26369 related info PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.atastrongma.com/ PDF link annotation
- http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
- http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
- http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
- http://www.microsoft.com/typographyIn PDF document text
- http://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/designer/des_index.htmlIn PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001b268.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1B268 | 188020 bytes |
SHA-256: fabe7faa32c1d5b7a118e85e2c8261ee47e23908a2143fc8c436563113afae04 |
|||
font_01_sfnt_off0002777f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2777F | 18228 bytes |
SHA-256: 75e7d9af516c441b65f9bc7889d10f17d489d008d40cd0a90440f5aef75022fb |
|||
font_02_sfnt_off000293e0.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x293E0 | 23984 bytes |
SHA-256: db9a2a3efcb8d3f6108b3f6b6345097d6c516973512787294b5f3803dc694548 |
|||
font_03_sfnt_off0002bbb7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2BBB7 | 20592 bytes |
SHA-256: 31d7a293723cc78200cd415febaa214d72fd6f4b33d7c18b8f332015fc88579b |
|||
font_04_sfnt_off0002d7ff.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x2D7FF | 247880 bytes |
SHA-256: 4bc3e49bf97b7196000c557ed8c382067791035245baf74b6f452f8807a483c9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.