PDF static analysis report

Static analysis result for SHA-256 9463b3a43d7b87b2…

CLEAN

PDF

2.32 MB Created: 2017-01-27 13:24:51 +01:00 Authoring application: Microsoft® Word 2013 First seen: 2020-09-24
MD5: 04af78962364cfff9a6f3eb5d4085e76 SHA-1: 32a5b34306ee700f579fe602953f4775ac3b4b5b SHA-256: 9463b3a43d7b87b265bbc4ca0f5842a51e570e9c46ab34614a249d1c7146a06f
6 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and is flagged as related to CVE-2023-26369, indicating an attempt to exploit a known vulnerability. The embedded JavaScript stream suggests the execution of malicious code. The presence of external URIs, though not all malicious, points to potential download or redirection activities.

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 3

  • TrueType bitmap font + active content — CVE-2023-26369 related info CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://narodne-novine.nn.hr/clanci/sluzbeni/2014_02_23_426.html PDF link annotation
    • http://narodne-novine.nn.hr/clanci/sluzbeni/2014_04_51_992.htmlIn PDF document text
    • http://www.rreuse.org/wp-content/uploads/Final-briefing-on-reuse-jobs-website-2.pdfIn PDF document text
    • http://www.dolenjskilist.siIn PDF document text
    • http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32008L0098In PDF document text
    • http://eur-lex.europa.eu/legal-In PDF document text
    • http://ec.europa.eu/environment/waste/pdf/strategy/Background%20Report%20Waste%20EIs%20251011%20-In PDF document text
    • http://europa.eu/youreurope/citizens/consumers/shopping/guarantees/index_hr.htmIn PDF document text
    • http://www.njuskalo.hr/In PDF document text
    • http://ec.europa.eu/environment/waste/pdf/strategy/Background%20Report%20Waste%20EIs%20251011%20-%20final.pdfIn PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0ZIn PDF document text
    • http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://www.microsoft.com/typography/0In PDF document text
    • http://www.microsoft.com/Typography/0In PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_066_off001835ce.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1835CE 208092 bytes
SHA-256: 4c991079c0693122b3b5e153c89f76db5764c7ae02c3a2b4891acbdd8086f272
stream_068_off0019c657.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x19C657 196548 bytes
SHA-256: c3cedc8a30ac49524e3dddc440b5d4ed7070c6b00f34d276a4a7aa730e9f92be
stream_070_off001b3b21.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B3B21 195268 bytes
SHA-256: bb6221abf85a889a55da02ff867ac484e8b02dc1e70ed25d6943bd130560658a
stream_072_off001c0bf8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C0BF8 194656 bytes
SHA-256: dd88ed96a00e1e7ab601d8fdea87832637e78c87daff557ddac6ce965d57b7f5
stream_074_off001cdbb9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CDBB9 177388 bytes
SHA-256: cdf3de20cd70d159204fcacceee6de6fa52a7fdf681ff1126badeb9c21df2e87
stream_078_off0020771d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x20771D 188144 bytes
SHA-256: 2b60f4350b9b2f6ff0a667513536acc2af2734a27c46d80fb91d4eeb32ec4926
stream_080_off0021e238.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21E238 214688 bytes
SHA-256: 8431123d7749cf6e762310bb1d602fb512cdd3f81a44560c0663f97b34b9c866