Malicious PDF — malware analysis report

Static analysis result for SHA-256 c613f62f5cc57c3b…

MALICIOUS

PDF

263.4 KB
MD5: d9fb2d8783fa4853a169e25c86d51c50 SHA-1: 82c8e2fdd28dcd185de99cadf0c9432e51cf7ebe SHA-256: c613f62f5cc57c3bd7af16e36ac2a562d0866c511db07c28e2a1c46546c3f023
124 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF sample contains embedded JavaScript and is flagged as related to CVE-2023-26369, indicating an exploit attempt. The embedded JavaScript, particularly the large stream from offset 0x5C (stream_005_off00001120.js), is highly suspicious and likely responsible for downloading and executing a secondary payload. The presence of embedded files and ML classification further supports a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8515

Heuristics 8

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xfdf/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://www.adobe.com/products/acrobat/readstep2.html
    • http://www.adobe.com/suppor\

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0059.bin
82d5cf9b0d862586300796cb087d91457441281fb554979aa6b952c899f39e34		 pdf-embedded-file PDF EmbeddedFile object 59 at offset 0x3F8F6 162 bytes
embedded_file_obj0060.bin
7259e671418dbed5abad555a11d697b358a62988a177f3c248fe5aa5e49aa900		 pdf-embedded-file PDF EmbeddedFile object 60 at offset 0x3F9E8 14779 bytes
embedded_file_obj0061.bin
4b1ec3b5bcda16d6efeac87c27733e07af075733fb5f490cbd5271a3b8f78b30		 pdf-embedded-file PDF EmbeddedFile object 61 at offset 0x40113 72480 bytes
stream_004_off00000bdf.js
2db9f85af04091bdf4ce21059d4bf131fcc492927269fa1cb6f670f54b60b143		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBDF 6585 bytes
stream_005_off00001120.js
beba4fb60b141fd6bc5a783a3e4752015300744de06116590e6e895f309a9da5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1120 1020333 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
stream_006_off0003ab08.bin
9d180d047df024ed11781c6743863fa7cc17c8b0040dae52b80cada11853f742		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3AB08 2910 bytes
stream_008_off0003ecc9.js
529357503ec67b623d2a12816cdeea62bd639f2b4ff4e568b01c96cc3f5bfc6f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3ECC9 1363 bytes
stream_009_off0003eea6.js
e985b5df65c8c3cf732a9074b575fbc594c1c7f0bccc0994182ec7e5c0f7308a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3EEA6 902 bytes
objstm_0063_00.bin
197ecdeb47eb387d6ff4f99bc2f72c791cc5b8ac56525b8dfe5fff1b880e8c2a		 pdf-objstm-decoded PDF /ObjStm 63 0 obj (inflated) 596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.