Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9558552b5023e06…

MALICIOUS

PDF

12.21 MB
MD5: cb073f9c58b8ae99a81e91e0a31d0d6a SHA-1: c41c83e6fee89566f701b5c935b46c4320f47fbd SHA-256: b9558552b5023e06b6676873ac1ef8dbba49b77dc94662d143d40db8fc22e901
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF contains a direct link to an executable payload, indicating a clear intent to deliver malware. The presence of heuristics related to CVE-2023-26369 and a high stream count suggests exploitation of a known vulnerability and obfuscation techniques. The primary IOC is the URL pointing to the executable.

Machine Learning

  • Nyx PDF Classifier clean score 0.2302

Heuristics 4

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • PDF link points directly to executable/archive payload critical PDF_DIRECT_PAYLOAD_LINK
    PDF contains a clickable HTTP(S) URI whose path ends in an executable, script, shortcut, disk image, or archive extension. Documents can legitimately link to installers, so this is a high-risk delivery indicator rather than a standalone exploit fingerprint.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.multitran.ru/c/m.exe?t=711348_4_2&s1=a%20bon%20vin,%20il%20ne%20faut%20point%20de%20bouchon
    • http://www.proverbes-francais.fr/proverbes-francais/
    • http://www.mon-poeme.fr/proverbes-francais/
    • http://www.rubricon.com/qe.asp?qtype=4&rq=4&id=111&aid=%7b47043452-A8E0-425D-9E21-B1C4C1C127CE%7d
    • http://www.glossary.ru/
    • https://zazdorovye.ru/radon-nevidimyj-ubijca/
    • http://www.russiatourism.ru/contents/statistika/statisticheskie-pokazateli-vzaimnykh-poezdok-grazhdan-rossiyskoy-federatsii-i-grazhdan-inostrannykh-gosudarstv/strany-lidiruyushchie-po-kolichestvu-pribytiy-na-territoriyu-rossiyskoy-federatsii/
    • http://www.russiefrancophone.com/la-france-et-la-russie-tendances-touristiques-actuelles/
    • http://www.lecourrierderussie.com/economie/2011/12/russie-mirage-touristique/
    • http://www.lecourrierderussie.com/economie/2013/08/record-tourisme-moscou/
    • http://www.bilan.ch/economie/touristes-suisses-voyagent-russie-malgre-crise-ukraine
    • http://www.tavr.science/
    • http://coinspot.io/analysis/cifrovye-valyuty-i-budushhee-deneg
    • https://xchange.cash/news/Bitkoin-v-Rossii-sovremennye-realii-i-perspektivy.html
    • http://www.gorodufa.ru/files/ga/280617/pzz.pdf
    • http://drugoigorod.ru/
    • https://interactive-plus.ru/ru/keyword/2691/articles
    • https://interactive-plus.ru/ru/keyword/6459/articles
    • https://interactive-plus.ru/ru/keyword/99276/articles
    • http://www.hoel.nu/publications/%20Hoel_ICALT_2015_submitted.pdf
    • http://surgeryzone.net/vrachi/zapisatsya-k-psixiatru.html
    • http://surgeryzone.net/vrachi/zapisatsya-k-terapevtu.html
    • http://surgeryzone.net/zapis-k-vrachu
    • http://ec-dejavu.ru/p/Publ_Mesheryakov_tattoo.html
    • http://www.linternaute.com/expression/langue-francaise/14357/etre-au-pain-et-a-l-eau/
    • http://citation-celebre.leparisien.fr/proverbe/francais
    • https://www.larousse.fr/dictionnaires/francais
    • http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://files.stroyinf.ru/data1/56/56325/#i622146
    • http://files.stroyinf.ru/Data2/1/4293816/4293816468.htm
    • http://docs.cntd.ru/document/1200015371
    • https://elibrary.ru/item.asp?id=23601667
    • https://matematika.utm.my/index.php/matematika/article/download/773/693
    • https://elibrary.ru/item.asp?id=30107934
    • https://lenta.ru/news/2015/12/22/foreigntourists/
    • https://www.tripadvisor.fr/TravelersChoice-DestinationsontheRise
    • http://cyberleninka.ru/article/n/povyshenie-konkurentosposobnosti-predpriyatiy-industrii-gostepriimstva-na-osnove-analiza-zhalob-i-otzyvov-v-internete-klientov-setevyh
    • http://www.routard.com/guide/russie/1704/hebergement.html
    • https://elibrary.ru/keyword_items.asp?keywordid=12109514
    • https://elibrary.ru/keyword_items.asp?keywordid=12109515
    • https://elibrary.ru/keyword_items.asp?keywordid=12109516
    • https://elibrary.ru/keyword_items.asp?keywordid=12109517
    • http://purl.org/dc/elements/1.1/
    • http://www.consultant.ru/document/cons_doc_LAW_296695/3e9f1c202800e8bc7adecd0fc2ac88ad3207771c/#dst1345
    • http://www.consultant.ru/document/cons_doc_LAW_284335/c785e4888f929b47d9538aeb49e6c3ec4db69e94/#dst1388
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://elibrary.ru/contents.asp?issueid=977883
    • http://elibrary.ru/contents.asp?issueid=977883&selid=17071823
    +24 more URL(s)

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_113_off009fe944.bin
4658c17564ba845ff96e0f2404154317b5681c146e09bf99dc20e2718b5f50d9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9FE944 233648 bytes
stream_114_off00a13795.bin
345fb10797030fa0323f4ff0add6e1cd4f046ab95d88b136c96648dbac509f9b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA13795 264772 bytes
stream_115_off00a2e2fe.bin
0c405c67d3aabdc0804872baee908329832c4f78360e600894aaba680f1b9871		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA2E2FE 202496 bytes
stream_117_off00a4b888.bin
ca222f9c925406d4c08dc4f9dc187c272eb0f9215e196f036fe44c7620185d0c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA4B888 206220 bytes
stream_118_off00a647f3.bin
8e7339d5d99afcb2bc16aafadd29f3ae5dd233dbcc567be45bb895d8cf5f8a00		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA647F3 155512 bytes
stream_121_off00a8b6ad.bin
5da319408d3bdad69108f54290591d4c6b519fcc2959639fb7677cf8d38148ed		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA8B6AD 298068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.