Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba901ccdf797dde0…

MALICIOUS

PDF

2.34 MB Created: 2023-12-26 16:43:55 +00:00 First seen: 2025-09-11
MD5: eb100f247ade7f905ebcf694b4e99033 SHA-1: 7a49c4c25f56f3e9dc7cf5f66c4940aff9e1f998 SHA-256: ba901ccdf797dde0b23edf731adb4ade659450782f138f8f505c7e290f9cede5
102 Risk Score

Malware Insights

MITRE ATT&CK
T1539 Steal Application Data

The PDF file contains heuristics indicating it is related to CVE-2023-26369 and actively attempts to lure the user into providing sensitive recovery secrets or private keys. While no scripts were extracted, the document's content and structure strongly suggest a social engineering attack aimed at credential harvesting.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 3

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoft
    • http://en.wikipedia.org/wiki/MIT_License
    • http://www.microsoft.com/typography/fonts/default.aspx
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@
    • http://www.microsoft.com/Typography

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off0001a988.bin
c306400ad427628497ad0d87a15ab4b7ab60c522560d08fbae2828bda321995a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A988 1111500 bytes
stream_048_off0014cb14.bin
4927aa20004703e68efd9fd5909063072f20c83422e32129f3b6e1bc637b2a69		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14CB14 408108 bytes
stream_052_off00215216.bin
3bdf82dd3faada4e3ac91dcf29e8582968c257fe724049f777fa0a282fd076ac		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x215216 167476 bytes
stream_054_off0022a59b.bin
6080dbd4b061ca7a36bcb50a1ca939f3c76b5c17e77650095ac1079eac601cbf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x22A59B 146072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.