Malicious PDF — malware analysis report

Static analysis result for SHA-256 c23f959017cce644…

MALICIOUS

PDF

2.64 MB Created: 2017-01-17 11:56:32 +02:00 Authoring application: Microsoft® Word 2016 First seen: 2017-09-14
MD5: f4bbd33728d8c59d9e0f88bb61493b14 SHA-1: 5135da977bd40640435984131c80458f442b92de SHA-256: c23f959017cce64456025eb644ffce2585731d54131cdb1535d0da288cbe2396
172 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript and is related to CVE-2023-26369, indicating an attempt to exploit a known vulnerability. Several external URLs are present, with one being explicitly linked to embedded JavaScript. The presence of embedded JavaScript suggests the execution of malicious code, likely to download further payloads or redirect the user to a malicious site.

Machine Learning

  • Nyx PDF Classifier clean score 0.0017

Heuristics 7

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER
    PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://psychlib.ru/mgppu/PPs-2008/PPs- In PDF document text
    • http://khomich.info/uvolnyaetsya-rabotnikIn PDF document text
    • http://internet-kit.ru/oshibki-pri-rabote-s-otricatelnymi-otzyvami/In PDF document text
    • http://www.docslide.us/documents/aas-ghid-pentru-cariera-mea.htmlPDF link annotation
    • http://www.testemitanu.info/biografie.php?biografie=onIn PDF document text
    • http://special.timpul.md/sa-urci-pe-everest-si-sa-nu-mori/In PDF document text
    • http://www.asara.ro/proverbe-despre-munca/In PDF document text
    • http://www.vipmagazin.md/top-femei/99_Femei_ale_Moldovei/Svetlana_Gozun._Doamna_%E2%80%9Ecodreanca%E2%80%9D/In PDF document text
    • http://christineconsulting.ro/calitati-ale-unui-contabil-de-incredere/In PDF document text
    • http://www.eurodezvoltare.ro/profil-profesional-bucatar/In PDF document text
    • http://www.infoinstitutii.ro/articole/legislatia-muncii-4/conditii-de-desfasurare-a-interviului-pentru-ocuparea-unui-post-vacant-in-sectorul-public-37.htmlIn PDF document text
    • http://www.intensa.ro/calitati-care-te-recomanda-pentru-a-fi-avocat/In PDF document text
    • http://www.psyvolution.ro/calitatile-unui-profesionist-in-consiliere/In PDF document text
    • http://www.studentinromania.ro/sfaturi-pentru-interviul-de-angajare/In PDF document text
    • http://www.psy.1september.ru/view_article.php?ID=200902403In PDF document text
    • http://www.mama-au43.ru/Viborprof.htmIn PDF document text
    • http://www.psy.1september.ru/article.php?ID=200700205In PDF document text
    • http://psychlib.ru/mgppu/PPs-2008/PPs-320.htmIn PDF document text
    • http://www.psy.1september.ru/article.php?ID=200601403In PDF document text
    • http://www.paint-best.ru/kak-narisovat-parnja-v-polnyj-rost-karandashom-poehtapnoIn PDF document text
    • http://www.millstick.ro/sticker-copac-cu-fluturi-2513.htmlIn PDF document text
    • http://www.povestipentrupicivoinici.ro/wp-content/uploads/2016/02/IMPARATUL-TIMP.jpgIn PDF document text
    • http://www.revistadealba.ro/dgaspc-alba-s-a-mutat-intr-un-nou-sediu/In PDF document text
    • http://www.alandaland.blogspot.md/%20%20In PDF document text
    • http://www.romania-handmade.ro/index.php?Mozaic=Rama_foto_mozaic_art_-_Flori_multicolor&view=181&currency=RON&lang=roIn PDF document text
    • http://www.incomemagazine.ro/articole/targul-de-cariere-2014-peste-150-de-companii-ofera-locuri-de-muncaIn PDF document text
    • http://www.printgames.ru/nastolnaya-igra-monopoliya/In PDF document text
    • http://www.razvitie-zhurnal.ru/rabota/kak-vesti-sebya-na-sobesedovanii-pri-prieme-na-rabotu.htmlIn PDF document text
    • http://www.anidescoala.ro/divertisment/timp-liber/activitati-educative/semaforul-stanga-sau-dreapta-si-capitanul-testeaza-reflexele/In PDF document text
    • http://www.nlo-ru.com/humor21.phpIn PDF document text
    • http://www.zambetulsoarelui.wordpress.com/2016/03/06/asumarea-riscului/In PDF document text
    • http://blogulspecialistului.manager.ro/a/atentie/management-si-afaceri/2020/calitatile-si-atitudinile-unui-bun-manager.htmlIn PDF document text
    • http://www.ro.wikipedia.org/wiki/Pia%C8%9Ba_muncii_In PDF document text
    • http://www.ru.scribd.com/doc/55427596/calitatile-jurnalistIn PDF document text
    • http://www.metodkabi.net.ru/index.php?id=strat_9#urIn PDF document text
    • http://www.dreamstime.com/stock-images-beige-blazon-pattern-image4747344In PDF document text
    • http://www.liveinternet.ru/users/nata-natalka/post301015863/In PDF document text
    • http://www.adevarul.ro/moldova/social/moldovenii-discriminati-angajare-1_5565bdbccfbe376e35a5dc8d/index.htmlIn PDF document text
    • http://www.pro.rabota.ru/pro/document/view/11166In PDF document text
    • http://www.randytherandybowen.wordpress.com/2015/02/27/more-than-a-date-part-1-us-against-them/In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoftIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    +10 more URL(s)

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off0000166f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x166F 131670 bytes
SHA-256: 63823655abd09ffee33cd826e4d571fdf9938c407184f964246e4638ed2ce28d
stream_072_off000dadf8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDADF8 622800 bytes
SHA-256: d7956be15e8db8a174f2eaad6675553e7425fc9bbf890d22dec64d86236c4d58
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x06
stream_076_off000ff6f7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFF6F7 616572 bytes
SHA-256: 92f580e663a0fd6ec7c2b97374d000210d247f1fd0eadd3cc4c7e9193e177000
stream_109_off0017fd10.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17FD10 397140 bytes
SHA-256: a3acd21120d572ad01d1d05586f11d50b28385cea3226901d0eda0b3f6ea7b15
stream_115_off001e59da.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E59DA 371552 bytes
SHA-256: bcfdc303b06ec4a16a93b9f558c5fb02b637419b8f000b1f58dc59b1554b3290
stream_122_off0023f118.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23F118 203172 bytes
SHA-256: e34d98858d3d6d075d10e63f3d319b97a647ed0a3850cba7ba19fb49f4e4a121

Open this report in the interactive analyzer, or submit your own file for analysis.