PDF malware analysis — malicious · a28aeb893c2a5960

MALICIOUS

PDF

335.4 KB Created: 2010-01-14 23:25:48 -05:00 Authoring application: Adobe LiveCycle Designer 8.0

MD5: eec27ede9461a300611ea42e4e202490 SHA-1: c1277bf1aa64deb21ad9f5b646b2f95e0d358ed4 SHA-256: a28aeb893c2a5960085498c652011c3e910b22bcf3b9199a46315b527ffbf2f4

132 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The PDF contains embedded JavaScript and an embedded file, flagged as a suspicious payload. The presence of XFA forms and a TrueType bitmap font associated with CVE-2023-26369 suggests an exploit attempt. The embedded JavaScript likely facilitates the download and execution of the embedded file, which is a common technique for delivering secondary payloads.

Machine Learning

Nyx PDF Classifier malicious score 0.9380

Heuristics 9

TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED

PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 16

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0068.bin` `73de10983932d86ae1646d5c6dd17d2b21912c3cd058cbf6c4fde2e573f6c26a`	pdf-embedded-file	PDF EmbeddedFile object 68 at offset 0x43068	162 bytes
`embedded_file_obj0069.bin` `667a592c882c1d6a9cdf47fd060a2388c6e1435c53856ceed25cb96d5f04e63f`	pdf-embedded-file	PDF EmbeddedFile object 69 at offset 0x43159	3423 bytes
`embedded_file_obj0070.bin` `9ca72836332909df9aefa50ccd9e37c3c9bf5e9b1f7297f2424b957cb91b1691`	pdf-embedded-file	PDF EmbeddedFile object 70 at offset 0x43650	124745 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 long base64-like blob(s).
`embedded_file_obj0071.bin` `2d58413fda1ff20c994606823bf49e41194612c0137b6315e50fa7bdc01f1e09`	pdf-embedded-file	PDF EmbeddedFile object 71 at offset 0x4F762	2423 bytes
`embedded_file_obj0072.bin` `7e915b5dd2e321929666a7b64c038b67678092d6e43a4a70683521856a4d5128`	pdf-embedded-file	PDF EmbeddedFile object 72 at offset 0x4FA44	214 bytes
`embedded_file_obj0073.bin` `64f576b6d9988b1c02f37001564d22237a4bf9d496912094aacd308e54696b1e`	pdf-embedded-file	PDF EmbeddedFile object 73 at offset 0x4FB3F	2335 bytes
`embedded_file_obj0074.bin` `683c239f631c4a6ec9e4685770aafcf92b951991bee63d8368d87ca9eae684ac`	pdf-embedded-file	PDF EmbeddedFile object 74 at offset 0x4FD17	799 bytes
`embedded_file_obj0075.bin` `b1b296d371e691ae903fc90e2f3bd69eeac3730137d7c7f5d9379aed02cb51d6`	pdf-embedded-file	PDF EmbeddedFile object 75 at offset 0x4FF25	110 bytes
`javascript_obj0388_000.js` `40d207bd33ef19f74e77d6e0bc9aa193e7355fc39dc66f9669dd2d0a8de76db6`	pdf-javascript-stream	PDF /JS object 388 at offset 0xE8B	1383 bytes
`javascript_obj0389_001.js` `91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090`	pdf-javascript-stream	PDF /JS object 389 at offset 0x1072	902 bytes
`javascript_obj0390_002.js` `922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc`	pdf-javascript-stream	PDF /JS object 390 at offset 0x11CD	2798 bytes
`stream_016_off000082a3.bin` `bcd5ef850e86bd2455f402aa81b185951850bd36fce3e19fcc6f08b1ad4f5ed9`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x82A3	108306 bytes
`font_00_cff_off0001425a.bin` `95ef2d8b25f5fb13c1dfc4d2a0ec8ab371f96462d7afce1ad9651e693e51af19`	pdf-font-stream	PDF embedded font (cff) at offset 0x1425A	3437 bytes
`font_01_cff_off00014f14.bin` `94f77470cfdda635d572fbd97e2dcd95da162d12f9c88425aa06e2f8a316ca6a`	pdf-font-stream	PDF embedded font (cff) at offset 0x14F14	4930 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.43, consistent with packed or encrypted content.
`font_02_sfnt_off00022c78.bin` `3007566a1a727616a7e36c450fb46407c241be9dec2efbebf30abd51fa1655f1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x22C78	12288 bytes
`font_03_sfnt_off0003122e.bin` `058d11642e857508126df5662db2c7af4bdc1892e73eea6fc33f2605a1fc3c20`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x3122E	94875 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.