Malicious PDF — malware analysis report

Heuristics 15

• JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
  PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
• CCITTFaxDecode + active content — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
  PDF uses /CCITTFaxDecode together with JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
• TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
  PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
• SubmitForm action medium PDF_SUBMITFORM
  PDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL
• Unusually high stream count medium PDF_MANY_STREAMS
  PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
• Callback phishing phone lure medium SE_CALLBACK_LURE
  Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
• JavaScript action low PDF_JAVASCRIPT
  PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
  ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
• Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
  Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
• AcroForm button with action trigger low PDF_ACROFORM_BUTTON
  PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
• Fake invoice / payment lure low SE_INVOICE_LURE
  Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
• External URI info PDF_URI
  PDF contains an external URL action
• Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.threesquaredproduction.com/bac-fpe-2016.html)/Type/Action/S/URI

  • http://www.eventexhibitions.co.uk/)/Type/Action/S/URI
  • http://www.faceuptv.com/)/Type/Action/S/URI
  • http://www.adexpo.co.uk/)/Type/Action/S/URI
  • http://www.igbaffiliatehotels.com/)/Type/Action/S/URI
  • http://www.initialrewards.com/)/Type/Action/S/URI
  • http://www.exposedesigns.co.uk/)/Type/Action/S/URI
  • http://www.symbiosis.co.uk/)/Type/Action/S/URI
  • http://www.outstandinggirls.co.uk/)/Type/Action/S/URI
  • http://www.chelseamodels.co.uk/)/Type/Action/S/URI
  • http://www.ufi.org/)/Type/Action/S/URI
  • http://www.aeo.org.uk/)/Type/Action/S/URI
  • http://www.ncsevents.co.uk/)/Type/Action/S/URI
  • http://www.messe-berlin.de/en/Visitors/ArrivalDeparture/Arrival/)/Type/Action/S/URI
  • http://files.igamingbusiness.co.uk/Events/BAC2016/ExhibitorManual/OrderForms/14.%20Stand%20Cleaning%20Order%20Form.pdf)/Type/Action/S/URI
  • http://files.igamingbusiness.co.uk/Events/BAC2016/ExhibitorManual/OrderForms/22.%20Parking%20Order%20Form.pdf)/Type/Action/S/URI
  • http://files.igamingbusiness.co.uk/Events/BAC2016/ExhibitorManual/OrderForms/15.%20Catering%20Order%20Form.pdf)/Type/Action/S/URI
  • http://www.adexpo.nl/auto_inlog.php?afzender=g7Ahdk9fbxe)/Type/Action/S/URI
  • http://www.igbaffiliatehotels.com/hotels.asp?id=3&idc=205&berlin)/Type/Action/S/URI
  • http://files.igamingbusiness.co.uk/Events/BAC2016/ExhibitorManual/OrderForms/16.%20Internet%20Order%20Form.pdf)/Type/Action/S/URI
  • http://www.questbranding.com/)/Type/Action/S/URI
  • http://files.igamingbusiness.co.uk/Events/BAC2015/BAC2015_Water%20Installation.pdf)/Type/Action/S/URI
  • http://files.igamingbusiness.co.uk/Events/BAC2015/BAC2015_Waste%20Disposal.pdf)/Type/Action/S/URI
  • http://files.igamingbusiness.co.uk/Events/BAC2015/BAC2015_Compressed%20Air.pdf)/Type/Action/S/URI
  • http://files.igamingbusiness.co.uk/Events/BAC2015/BAC2015_Gas%20Installation.pdf)/Type/Action/S/URI
  • http://www.w3.org/1999/02/22-rdf-syntax-ns#
  • http://purl.org/dc/elements/1.1/
  • http://ns.adobe.com/xap/1.0/
  • http://ns.adobe.com/xap/1.0/mm/
  • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
  • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
  • http://ns.adobe.com/illustrator/1.0/
  • http://ns.adobe.com/xap/1.0/t/pg/
  • http://ns.adobe.com/xap/1.0/sType/Dimensions#
  • http://ns.adobe.com/xap/1.0/g/
  • http://ns.adobe.com/pdf/1.3/
  • https://protect-eu.mimecast.com/s/9XWzBHnkJgcA)/Type/Action/S/URI
  • https://protect-eu.mimecast.com/s/GW47BUa0lVc1)/Type/Action/S/URI

Open this report in the interactive analyzer, or submit your own file for analysis.