Malicious PDF — malware analysis report

Static analysis result for SHA-256 d62fd75665a451b1…

MALICIOUS

PDF

243.6 KB Created: 2015-10-01 14:27:01 -07:00 Authoring application: PDFescape Online - https://www.pdfescape.com (via RAD PDF 3.19.2.2 - https://www.radpdf.com) First seen: 2021-05-23
MD5: 87e9d73f956b942e88f07e01140a07cd SHA-1: d341e5f0bde64661e3c59f068ed020bff3e62e8e SHA-256: d62fd75665a451b1fefdd7a61b60f5c01c1ba82d6592f812ed5122956a4bfbda
170 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF file identified as malicious, containing embedded JavaScript. The heuristic PDF_JS_EXPLOIT_CLUSTER, along with PDF_CVE_2023_26369_RELATED, strongly indicates an exploit targeting a known vulnerability. The embedded JavaScript, though simple, likely serves to trigger the exploit and potentially download further malicious content from the identified URL. The ML classifier's high confidence score further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 1 text block(s), carries a click-outward action, and is only 243 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://perfectviewrealty.co.in/mail/pdf/index.html PDF link annotation
    • https://www.radpdf.comIn PDF document text
    • https://www.radpdf.com)/Author(See)/Creator(PDFescapeIn PDF document text
    • https://www.pdfescape.com)/RadPdfCustomData(pdfescape.com-open-0B6ED94E0C9EC6A65F01F648F6A3D1E0B2EFBC744D434ED5)/CreationDate(D:20151001142701-07In PDF document text
    • http://www.dynaforms.comIn PDF document text
    • https://www.pdfescape.comIn PDF document text
    • http://www.iec.chIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.microsoft.com/typography/ctfontshttp://fontfabrik.comYouIn PDF document text
    • http://www.microsoft.com/typography/fonts/default.aspxIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0019_000.js pdf-javascript-stream PDF /JS object 19 at offset 0x3C71D 55 bytes
SHA-256: 31891b256fb2c725efed8b2bbf38a5e15a3a35b583d76d8b3fb5ee6c8b85f769
Preview script
First 1,000 lines of the extracted script
this.print({bUI:true,bSilent:false,bShrinkToFit:true});
font_00_sfnt_off000004e0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4E0 169476 bytes
SHA-256: a6eacb5f4c318f191f5c7ef56b8a9d24965db43dd12e86dc8eafc984e1163d47
font_01_sfnt_off000134a8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x134A8 39788 bytes
SHA-256: 71f04eb0a43e49cb119288ed8821d0c62f8ea4e454b9af74768f689464c0e526

Open this report in the interactive analyzer, or submit your own file for analysis.