MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious Link
The PDF file contains embedded JavaScript and is related to CVE-2023-26369, indicating an attempt to exploit a known vulnerability. Several external URLs are present, with one being explicitly linked to embedded JavaScript. The presence of embedded JavaScript suggests the execution of malicious code, likely to download further payloads or redirect the user to a malicious site.
Machine Learning
- Nyx PDF Classifier clean score 0.0017
Heuristics 7
-
TrueType bitmap font + active content — CVE-2023-26369 related high PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
Obfuscated Pidief-style JavaScript loader (stage not decoded) high PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADERPDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://psychlib.ru/mgppu/PPs-2008/PPs- In PDF document text
- http://khomich.info/uvolnyaetsya-rabotnikIn PDF document text
- http://internet-kit.ru/oshibki-pri-rabote-s-otricatelnymi-otzyvami/In PDF document text
- http://www.docslide.us/documents/aas-ghid-pentru-cariera-mea.htmlPDF link annotation
- http://www.testemitanu.info/biografie.php?biografie=onIn PDF document text
- http://special.timpul.md/sa-urci-pe-everest-si-sa-nu-mori/In PDF document text
- http://www.asara.ro/proverbe-despre-munca/In PDF document text
- http://www.vipmagazin.md/top-femei/99_Femei_ale_Moldovei/Svetlana_Gozun._Doamna_%E2%80%9Ecodreanca%E2%80%9D/In PDF document text
- http://christineconsulting.ro/calitati-ale-unui-contabil-de-incredere/In PDF document text
- http://www.eurodezvoltare.ro/profil-profesional-bucatar/In PDF document text
- http://www.infoinstitutii.ro/articole/legislatia-muncii-4/conditii-de-desfasurare-a-interviului-pentru-ocuparea-unui-post-vacant-in-sectorul-public-37.htmlIn PDF document text
- http://www.intensa.ro/calitati-care-te-recomanda-pentru-a-fi-avocat/In PDF document text
- http://www.psyvolution.ro/calitatile-unui-profesionist-in-consiliere/In PDF document text
- http://www.studentinromania.ro/sfaturi-pentru-interviul-de-angajare/In PDF document text
- http://www.psy.1september.ru/view_article.php?ID=200902403In PDF document text
- http://www.mama-au43.ru/Viborprof.htmIn PDF document text
- http://www.psy.1september.ru/article.php?ID=200700205In PDF document text
- http://psychlib.ru/mgppu/PPs-2008/PPs-320.htmIn PDF document text
- http://www.psy.1september.ru/article.php?ID=200601403In PDF document text
- http://www.paint-best.ru/kak-narisovat-parnja-v-polnyj-rost-karandashom-poehtapnoIn PDF document text
- http://www.millstick.ro/sticker-copac-cu-fluturi-2513.htmlIn PDF document text
- http://www.povestipentrupicivoinici.ro/wp-content/uploads/2016/02/IMPARATUL-TIMP.jpgIn PDF document text
- http://www.revistadealba.ro/dgaspc-alba-s-a-mutat-intr-un-nou-sediu/In PDF document text
- http://www.alandaland.blogspot.md/%20%20In PDF document text
- http://www.romania-handmade.ro/index.php?Mozaic=Rama_foto_mozaic_art_-_Flori_multicolor&view=181¤cy=RON&lang=roIn PDF document text
- http://www.incomemagazine.ro/articole/targul-de-cariere-2014-peste-150-de-companii-ofera-locuri-de-muncaIn PDF document text
- http://www.printgames.ru/nastolnaya-igra-monopoliya/In PDF document text
- http://www.razvitie-zhurnal.ru/rabota/kak-vesti-sebya-na-sobesedovanii-pri-prieme-na-rabotu.htmlIn PDF document text
- http://www.anidescoala.ro/divertisment/timp-liber/activitati-educative/semaforul-stanga-sau-dreapta-si-capitanul-testeaza-reflexele/In PDF document text
- http://www.nlo-ru.com/humor21.phpIn PDF document text
- http://www.zambetulsoarelui.wordpress.com/2016/03/06/asumarea-riscului/In PDF document text
- http://blogulspecialistului.manager.ro/a/atentie/management-si-afaceri/2020/calitatile-si-atitudinile-unui-bun-manager.htmlIn PDF document text
- http://www.ro.wikipedia.org/wiki/Pia%C8%9Ba_muncii_In PDF document text
- http://www.ru.scribd.com/doc/55427596/calitatile-jurnalistIn PDF document text
- http://www.metodkabi.net.ru/index.php?id=strat_9#urIn PDF document text
- http://www.dreamstime.com/stock-images-beige-blazon-pattern-image4747344In PDF document text
- http://www.liveinternet.ru/users/nata-natalka/post301015863/In PDF document text
- http://www.adevarul.ro/moldova/social/moldovenii-discriminati-angajare-1_5565bdbccfbe376e35a5dc8d/index.htmlIn PDF document text
- http://www.pro.rabota.ru/pro/document/view/11166In PDF document text
- http://www.randytherandybowen.wordpress.com/2015/02/27/more-than-a-date-part-1-us-against-them/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://www.microsoft.com/typography/ctfontshttp://lucasfonts.comMicrosoftIn PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
- http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
+10 more URL(s)
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_001_off0000166f.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x166F | 131670 bytes |
SHA-256: 63823655abd09ffee33cd826e4d571fdf9938c407184f964246e4638ed2ce28d |
|||
stream_072_off000dadf8.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xDADF8 | 622800 bytes |
SHA-256: d7956be15e8db8a174f2eaad6675553e7425fc9bbf890d22dec64d86236c4d58 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x06
|
|||
stream_076_off000ff6f7.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xFF6F7 | 616572 bytes |
SHA-256: 92f580e663a0fd6ec7c2b97374d000210d247f1fd0eadd3cc4c7e9193e177000 |
|||
stream_109_off0017fd10.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x17FD10 | 397140 bytes |
SHA-256: a3acd21120d572ad01d1d05586f11d50b28385cea3226901d0eda0b3f6ea7b15 |
|||
stream_115_off001e59da.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1E59DA | 371552 bytes |
SHA-256: bcfdc303b06ec4a16a93b9f558c5fb02b637419b8f000b1f58dc59b1554b3290 |
|||
stream_122_off0023f118.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x23F118 | 203172 bytes |
SHA-256: e34d98858d3d6d075d10e63f3d319b97a647ed0a3850cba7ba19fb49f4e4a121 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.