Malicious PDF — malware analysis report

Static analysis result for SHA-256 c056e62dcf22ea21…

MALICIOUS

PDF

7.84 MB Created: 2018-03-29 18:48:23 +07:00 Authoring application: Microsoft® Word 2010
MD5: c80d392b664f9c6f2fc6704eab34fc3f SHA-1: fde079adab6f0a67a5129fb25d0cee85118a5b6f SHA-256: c056e62dcf22ea2161d43cc9c41747c5d2a56f2dfd3bf349de53dfe00cabd3d6
62 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.1418

Heuristics 4

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.google.co.th/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwjYwf6mxM_YAhWILo8KHdneBHsQjRx6BAgAEAY&url=https://www.voathai.com/a/brazil-protests-petrobas/2683119.html&psig=AOvVaw1doAtMMg_eUTAaDh2AC_8J&ust=1515747120682628
    • http://www.dailynews.co.th/foreign/540734
    • https://www.youtobe.com/watch?v=yZcG8xXxH60
    • https://www.google.co.th/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=2ahUKEwi5n-L31s_YAhWH6Y8KHSTwC4IQjRx6BAgAEAY&url=https://www.rbru.ac.th/th/gallerypic.php?no_activity=5351&psig=AOvVaw0YfX0vx5EhTbt6n3soEi21&ust=1515752136966006
    • https://www.google.co.th/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwjh5rqM0c_YAhXHYo8KHbR4A_8QjRwIBw&url=https://addicted2success.com/quotes/56-mind-blowing-albert-einstein-quotes/&psig=AOvVaw3KQUUqavVcUJfvusqCnGQz&ust=1515750586795305
    • http://www.google.co.th/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiu5vrMyc_YAhWMvY8KHRebDM8QjRwIBw&url=http://www.chillpainai.com/scoop/1500/&psig=AOvVaw0PQRD94d7i4UzZa850KXNa&ust=1515748556837742
    • https://www.youtube.com/watch?v=Z6h4OuywCgE
    • https://www.youtube.com/watch?v=rjiE85tL_GA
    • https://www.youtube.com/watch?v=xrUiXZ6jhVg
    • https://www.youtube.com/watch?v=k9Ycz2aAaVw%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20���������������������������������������������������������������������������������������������%202559%20���������������2%20By%20TYN%20B.D.%20%20%20%20%20%20https://www.youtube.com/watch?v=RKT4B1bjU1s%20���������
    • http://www.iec.ch
    • https://www.youtube.com/watch?v=UgxbgwMZJY4
    • http://news.sanook.com/1821823/
    • http://women.sanook.com/14304/
    • http://www.bbc.com/thai/international-39227441
    • http://hathaitipthongmoon.blogspot.com/2013/08/4.html
    • https://www.youtube.com/watch?v=rvFS1YdqSfQ
    • https://www.youtube.com/watch?v=EzEvPshSKjl
    • http://www.youtube.com/watch?v=jcRJim_e9Sw
    • https://www.youtube.com/watch?v=-ac0X5AAZ44
    • https://www.youtube.com/watch?v=8ciyd9FYIiI&t=868s

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_015_off0001bc3a.bin
662e1919ffdcac48ae32878be9c7994cf5a285190d61cbccbe11c5ed771ee113		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BC3A 1626624 bytes
stream_028_off000b0448.bin
c7c25cfc9bb840f10e2a7573d1f01b65cdcd929b68060d59abd4e4652b0b6e7d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB0448 411978 bytes
stream_044_off000c5a0b.bin
340efdbbd253068a49af20bf49ad73b7bc6fb13326f45177a45f1258369bd5bb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC5A0B 601290 bytes
stream_054_off000d3ec4.bin
e187da02d43afe1ccdf2ec668ae6cc019cc4894277adaa75519c31e7928b61c8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD3EC4 33579 bytes
stream_055_off000d5ce8.bin
dd7d3b84c213aae941acee0ac17a53fc7047baf6f08b765068018938e7ab9228		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD5CE8 11193 bytes
stream_058_off000d96a3.bin
88bca7f49a532faec1bbf51619a399da439049c6102caab03e3d0462ee7e4e4a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD96A3 33579 bytes
stream_065_off0063ac44.bin
4a73654ce920bc816ddb5d809346ffda41a4bc02659781fa0c3452dd6073aea4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x63AC44 177568 bytes
stream_067_off00652f8e.bin
13d251759649daba5578cf5a9d778fc0522455b5acbc363c646b3c92d5f0d147		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x652F8E 61360 bytes
stream_069_off0065b4da.bin
72e6229a7f4d60002a93a3727e2f826cf997fbcd9a83fbfa69851c828fac12cc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x65B4DA 66424 bytes
stream_070_off00660c78.bin
06a4bf825a27489c1814323facd08498e360e2430f053df7f6ffbf84e54d0b97		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x660C78 664336 bytes
stream_071_off00672732.bin
19e400a0beed6057e1c9387642f48c0d91996a7603eeec385bce2c36d37b201c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x672732 170956 bytes
stream_073_off00688214.bin
190cf028419c41261546098871fe88fa4887f92b689557216afcef0d9e5fce9b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x688214 94144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.