Malicious PDF — malware analysis report

Static analysis result for SHA-256 af001e26fbaaa4d6…

MALICIOUS

PDF

98.0 KB Created: 2009-07-28 16:23:15 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 7ad1ed39a1f8616f5ec450a6efd447b1 SHA-1: c167f944da0465f5801908d59edb42247410ed38 SHA-256: af001e26fbaaa4d6602d9418d06c3ffe310ee686f5c1d974f3334a487c2bbd2d
158 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

This PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The presence of PDF_CVE_2023_26369_RELATED suggests exploitation of a known vulnerability. The ClamAV detection of 'Pdf.Dropper.Agent-7293211-0' strongly indicates malicious intent, likely involving the execution of a second-stage payload via the embedded scripts.

Heuristics 6

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • ClamAV: Pdf.Dropper.Agent-7293211-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7293211-0
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
78b7f89807b0cac37538dfb149b2737b4ce9142486594e4c5be2f5231ca39e56		 pdf-javascript-stream PDF /JS object 29 at offset 0x158EE 52 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0030_001.js
46bc179c000b316d18c9d4c55eebcd78c8ec504caf43e9441ee17845789a6789		 pdf-javascript-stream PDF /JS object 30 at offset 0x15971 44355 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.