Malicious PDF — malware analysis report

Static analysis result for SHA-256 d02bb56438b05d8d…

MALICIOUS

PDF

321.8 KB Created: 2017-10-13 13:12:49 UTC Authoring application: RAD PDF (via RAD PDF 2.38.3.1 - http://www.radpdf.com)
MD5: bcdd287c73a8b2e231787e167dd0ff5d SHA-1: 37de6c59a6affc220a187e8372af4353e962d8c8 SHA-256: d02bb56438b05d8d845fb37f617d5b89726f59c9b685fb43b2a73fc509c11b23
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains embedded JavaScript and clickable URIs that utilize URL shorteners. One of the embedded URLs, http://carpetcleaninghoustontexas.com/wp-admin/dfr/index.php, is flagged as unknown reputation. The presence of CVE-2023-26369 related indicators suggests an attempt to exploit a known vulnerability. The primary attack vector appears to be directing the user to a potentially malicious external resource via shortened URLs.

Machine Learning

  • Nyx PDF Classifier clean score 0.0010

Heuristics 4

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://http://carpetcleaninghoustontexas.com/wp-admin/dfr/index.php
    • http://carpetcleaninghoustontexas.com/wp-admin/dfr/index.php
    • http://www.radpdf.com)/Creator(RAD
    • http://www.dynaforms.com
    • http://www.radpdf.com
    • http://bit.ly/2ykvOIO
    • http://ow.ly/WuE530g7n9O
    • http://bit.ly/2gQjiGQ
    • http://ow.ly/6HsO30ggN8q
    • http://ow.ly/Jktm30ggNim
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off0000a4c7.bin
2e3177d6a8064ab103f19103afc88b2b6a5373e103bc00d863316e499f1fe9ee		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA4C7 287928 bytes
font_00_sfnt_off00000cbb.bin
448468e20bc72c84eda006a84679fc684e6e0605397bb1e1f1aac1a7e65566a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCBB 76104 bytes
font_02_sfnt_off0001e525.bin
7fe2127d000840a1e6b779bc33840ffbdacfc2e2c7bcd67c0c8f2cf4b82e0e50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E525 57864 bytes
font_03_sfnt_off00025803.bin
3919491c16b6921682e0e7c056c55189829f97da5c68f90c415a2a464cb19c21		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25803 329128 bytes
font_04_sfnt_off000476d7.bin
9710cb2a34019c174c9a044583459117b9a525fefc1241fd9e58a2febad12a09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x476D7 7944 bytes
font_05_sfnt_off00048ec9.bin
c16dfae97bf15a2202cd13581a5cbdbb2660745af721566ad7307b69f704a97e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x48EC9 14496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.