PDF static analysis report

Static analysis result for SHA-256 904abf8acc488a51…

CLEAN

PDF

9.05 MB Created: 2019-11-17 00:05:02 +01:00 Authoring application: Microsoft® Word 2013 First seen: 2020-07-02
MD5: f48c086b41c5ca409c11f7e0149f6f04 SHA-1: 13410bea8ad4f292cf9b00beed7c520bc8497883 SHA-256: 904abf8acc488a51262c1810334955cf2a31d02f03113b2a9dad21af19884848
6 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The sample is a PDF document that contains embedded URIs and is related to CVE-2023-26369, indicating it attempts to exploit a known vulnerability. The embedded URLs, primarily pointing to www.derindusunce.org, suggest a redirection to potentially malicious content. No scripts were extracted, limiting the analysis of specific payload delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier clean score 0.1116

Heuristics 3

  • TrueType bitmap font + active content — CVE-2023-26369 related info CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.derindusunce.org/ PDF link annotation
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Tanri-ka%C3%A7-feet-y%C3%BCksekte.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/werther_selbstmord_gross.jpgIn PDF document text
    • http://www.derindusunce.org/2014/08/03/romantizm-goetheden-muslum-babaya/In PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/06/sen-insansin.pdfIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/hqdefault.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Cupola_Baciccia_Gesu.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/detay.jpgIn PDF document text
    • http://www.derindusunce.org/2014/08/12/kiliseler-buyudukce-tanri-kuculuyor/In PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/requin-3D.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/05/tezyin_kitabi.pdfIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2013/10/soyut_sanat_muslumanin_yitik_malidir.pdfIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2013/09/islamda_mimar_ve_sehir.pdfIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2012/06/sanat_hakikat.pdfIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Santa-Maria-del-Fiore.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Mantegna-Camera-degli-Sposi-1.jpgIn PDF document text
    • http://www.derindusunce.org/2014/08/22/tanriyi-gormek-icin-kac-km-yukselmek-lazim/In PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Tanri-ka%C3%A7-feet-y%C3%BCksekte2.jpgIn PDF document text
    • http://www.derindusunce.org/2013/11/06/sebep-sonuc-nedensellik-illiyet-causality/In PDF document text
    • http://www.derindusunce.org/2014/08/25/ronesans-oncesi-hristiyan-sanati/In PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/12th-century_painters_-_F%C3%A9camp_Psalter_-_WGA15831.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/25_artstor_103_41822001105962-145F767A7AA4CB857F9.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/050_Absis_de_Sant_Climent_de_Ta%C3%BCll_amb_Marc_Lluc_Tom%C3%A0s_Bartomeu_i_Maria.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/060_Frontal_daltar_de_Santa_Maria_de_Ta%C3%BCll.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/428px-12th-century_unknown_painters_-_The_Fight_between_David_and_Goliath_detail_-_WGA19693.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/513px-11th_century_unknown_painters_-_Christ_in_Majesty_-_WGA19746.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/580px-Louvre_saint_michel_rf1427.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/640px-KellsFol032vChristEnthroned.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/746px-Bari_archivio_capitoalre_exultet_MS._1_XI_secolo.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/756px-Novalesa_Sant_Eldrado-2.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/781px-TaullLlatzer.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/800px-Borradaile_Oliphant.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/800px-CLUNY-Coffret_Christ_1.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/9814_-_Milano_-_SantAmbrogio_-_Sarcofago_di_Stilicone_-_Foto_Giovanni_DallOrto_25-Apr-2007s.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Abbaye_de_Saint-G%C3%A9nis-des-Fontaines_PM_47223.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Abbaye_Vezelay-tympan.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/BaldwinII_ceeding_the_Temple_of_Salomon_to_Hugues_de_Payns_and_Gaudefroy_de_Saint-Homer.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Barcelona_MNAC_P1290746.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Barcelona_MNAC_P1290789.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/BeatoSM.012.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Capitells_I._Claustre_Serrabona.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Cazeaux-de-Larboust_%C3%A9glise_fresques_Assomption.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Ceiling_panel_with_knights_galleys_and_a_boat_with_a_high_gunwale_-_Google_Art_Project.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Cicle_de_linf%C3%A0ncia_de_Crist.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Codex_Bodmer_127_052r_Detail.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Iohannes_-_Altar_frontal_from_Gia_-_Google_Art_Project.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Livre-de-Kells-t%C3%A9tramorphe-aigle.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/MS2555Fol7.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/PESCHERIA.jpgIn PDF document text
    • http://www.derindusunce.org/wp-content/uploads/2014/08/Portail-NDLG-centre1406.jpgIn PDF document text
    +93 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_084_off007cc0e0.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7CC0E0 600520 bytes
SHA-256: 87d6111d2cea8ee76034a27f49796461ea530ee9065e0742a291b0c646d91f95
stream_085_off008006db.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8006DB 90036 bytes
SHA-256: fe162d58be9d84ed4c1877853fc9384c95897906e4b450e665cb7eb4c7af6289
stream_099_off008ec92e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8EC92E 678036 bytes
SHA-256: 51c8ab7228716bac5ec4ff7b9776cb38a9488e1b69d6762a22a8945ba3925f37