Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2ed33285de87978…

MALICIOUS

PDF

401.9 KB Created: 2011-04-18 15:20:20 +08:00 Authoring application: Microsoft® Office Word 2007
MD5: a63887208ac6dc11d273114c2a7eee4d SHA-1: 763911ef8f85f864a2b9dcd88174857666bd3bc8 SHA-256: b2ed33285de87978cfc62b7072a1f6a35039f83eba122ec29b70035369e7a238
178 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file exhibits multiple high-severity heuristic firings, including indicators related to CVE-2023-26369 and the presence of embedded rich media content. A secondary embedded PDF was also identified with suspicious static findings. The ML classifier strongly flagged this PDF as malicious. While no specific script was extracted, the combination of embedded content and exploit-related heuristics suggests the document is designed to deliver a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9792

Heuristics 5

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_013_off0000c41c.bin
f027ac9dfeb0f6d526988e6f2f7e74db2697e5c5a6ea11895814cd1495e5f93a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC41C 120104 bytes
objstm_0026_00.bin
0841ed6ca2149b386133777ff3868f6222ba5033d6f52cd654a117610818bd40		 pdf-objstm-decoded PDF /ObjStm 26 0 obj (inflated) 1084 bytes
polyglot_child_pdf_off0000b129.pdf
4f524304652a40e44ff5c1be254759ba8a217f6cbd40f2f03445182763c38e94		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xB129 366205 bytes
polyglot_child_pdf_off00062fb9.pdf
0b1c923c8a0028794f3a3244dc498786746334f394e41678cc58ffbeb707d0a8		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x62FB9 6125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.