Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8e84b5d142e7b08…

MALICIOUS

PDF

423.6 KB Created: 2017-11-08 10:57:19 +02:00 Authoring application: www.convertapi.com
MD5: 6681b16c367486986cabb82ead061ee7 SHA-1: f1ed7bdeb746e2f19bf1a88cafc478887f3f1141 SHA-256: a8e84b5d142e7b086afdacc5c27f5e00f511bbc684ce0ef08fc98ca698f4b472
78 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains embedded JavaScript and an external URI pointing to a suspicious URL, indicating an attempt to deliver a malicious payload. The heuristic firings suggest the document impersonates a cloud service to trick the user into interacting with it, and is related to CVE-2023-26369, a known PDF vulnerability. The embedded JavaScript likely facilitates the download and execution of a second-stage payload from the identified URL.

Machine Learning

  • Nyx PDF Classifier clean score 0.0034

Heuristics 6

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Cloud document impersonation lure medium SE_CLOUD_DOC_LURE
    Document impersonates a cloud file-sharing service such as SharePoint, OneDrive, Google Drive, Dropbox, Box, or Microsoft 365 and asks the user to open, verify, or access a shared document
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://skbizcorp.com/js/frk/dropbox/spacebox/index.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000f879.bin
1dc3d788cba2242c401caf8136aebbb97e81b74e7a04dd210be2dac35e9eff23		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF879 182580 bytes
stream_003_off000247cd.bin
f3bf9704ae1a1b01d6eaba8c4203245dfddd8957cdd25f52cca46afe823164ba		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x247CD 173484 bytes
font_00_sfnt_off00000ade.bin
c1caf580c14a67f98ff57465257177841e7ddde37b788d4e356293d757db58d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xADE 226620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.