PDF static analysis report

Static analysis result for SHA-256 872888e11fe8eace…

CLEAN

PDF

233.7 KB Created: 2016-01-14 19:38:00 -06:00 Authoring application: Microsoft® Word 2016 First seen: 2016-12-24
MD5: 2f58f8e133c46930763463e72e7cf7fa SHA-1: b38bc243beb2ce9681060ee94746c35c8d7de40c SHA-256: 872888e11fe8eace8bd21a2287f374fece9c8241f7d5fa7b40c917a64f3d20a4
6 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains heuristics indicating it is related to CVE-2023-26369, a known vulnerability that can lead to arbitrary code execution. It also contains an embedded URL pointing to 'www.atastrongma.com', which is likely used to download a secondary payload. The combination of the CVE relation and the external URL strongly suggests an exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 3

  • TrueType bitmap font + active content — CVE-2023-26369 related info CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.atastrongma.com/ PDF link annotation
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text
    • http://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/designer/des_index.htmlIn PDF document text

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001b268.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1B268 188020 bytes
SHA-256: fabe7faa32c1d5b7a118e85e2c8261ee47e23908a2143fc8c436563113afae04
font_01_sfnt_off0002777f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2777F 18228 bytes
SHA-256: 75e7d9af516c441b65f9bc7889d10f17d489d008d40cd0a90440f5aef75022fb
font_02_sfnt_off000293e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x293E0 23984 bytes
SHA-256: db9a2a3efcb8d3f6108b3f6b6345097d6c516973512787294b5f3803dc694548
font_03_sfnt_off0002bbb7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2BBB7 20592 bytes
SHA-256: 31d7a293723cc78200cd415febaa214d72fd6f4b33d7c18b8f332015fc88579b
font_04_sfnt_off0002d7ff.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D7FF 247880 bytes
SHA-256: 4bc3e49bf97b7196000c557ed8c382067791035245baf74b6f452f8807a483c9