MALICIOUS
162
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.007 JavaScript
The PDF file contains multiple embedded JavaScript streams and an embedded script payload, indicating an attempt to execute malicious code. The presence of TrueType bitmap font and active content, along with a high ML classifier score, strongly suggests exploitation of a known vulnerability such as CVE-2023-26369. The document body appears to be form fields, which could be used in a phishing or credential harvesting attempt.
Machine Learning
- Nyx PDF Classifier malicious score 0.8926
Heuristics 8
-
TrueType bitmap font + active content — CVE-2023-26369 related high PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
PRC/3D content in PDF high PDF_PRC_3DPDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/1.0/
- http://www.xfa.org/schema/xfa-template/2.5/
- http://www.xfa.org/schema/xfa-data/1.0/
- http://www.xfa.org/schema/xfa-locale-set/2.1/
- http://ns.adobe.com/xtd/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xfdf/
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0308_000.jsf979542c4992f256c12537db5bbe5f86605da11ef877e634ccfc2c47c9284b10 |
pdf-javascript-stream | PDF /JS object 308 at offset 0x1157 | 1604 bytes |
javascript_obj0309_001.js3bf84668674e23c91aaaa6c58c24a1f80a30566e9cfbd09040882d18101fed76 |
pdf-javascript-stream | PDF /JS object 309 at offset 0x1340 | 902 bytes |
javascript_obj0310_002.js922f7942d25f53e6e6eedc1b3a95c47a757faab3be4838fa02db0dbea2c4dbcc |
pdf-javascript-stream | PDF /JS object 310 at offset 0x14AB | 2798 bytes |
embedded_pdf_script_000168cf.bin6808ac386cf1021213427e8c4c296469d470383c8cbe18fa44fe1e8bddd87b51 |
pdf-embedded-script | PDF raw stream script payload at offset 0x168CF | 3107 bytes |
icc_00_off0000a314.icc2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
pdf-icc-profile | PDF ICC profile at offset 0xA314 | 3144 bytes |
font_00_sfnt_off0000fbd0.bin513cd6a39a7f12c27e22aa34801338ee0a7301d6e5c8a1246131b7398993b79c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xFBD0 | 26228 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.