MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious Link
T1566.002 Spearphishing Attachment
The PDF file contains multiple JavaScript streams and triggers associated with PDF vulnerabilities, including a high-confidence indicator for CVE-2023-26369. The embedded JavaScript actions suggest an attempt to exploit the reader to download and execute further malicious content. While no specific family is identified, the exploit and JavaScript execution point to a downloader or dropper pattern.
Heuristics 7
-
TrueType bitmap font + active content — CVE-2023-26369 related high PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/g/img/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#
- http://ns.adobe.com/xap/1.0/sType/ManifestItem#
- http://ns.adobe.com/xap/1.0/t/pg/
- http://ns.adobe.com/xap/1.0/sType/Dimensions#
- http://ns.adobe.com/xap/1.0/sType/Font#
- http://ns.adobe.com/xap/1.0/g/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0025_000.js0113dbe416e7a98e8c007ceb732cfc8ec3f9a9ff6487df4a3e3a8a37af646db7 |
pdf-javascript-stream | PDF /JS object 25 at offset 0x4D01 | 251 bytes |
javascript_obj0269_004.js8a77fc432004cf87a9ab2e5857381e7a941e28e0a930f59a53f846c6a54a49af |
pdf-javascript-stream | PDF /JS object 269 at offset 0x2609E | 134 bytes |
javascript_obj0271_005.js02ef63af3b607b1d6d8bf7c41c258d6eb1c4e8177b38de5f583c5f53d107cef7 |
pdf-javascript-stream | PDF /JS object 271 at offset 0x262C9 | 46 bytes |
javascript_obj0275_006.jse0e63629c58dc0c1c4c13fdb99d6314c34f9409ef23a7a6a4c32af702174a7fa |
pdf-javascript-stream | PDF /JS object 275 at offset 0x2656C | 50 bytes |
javascript_obj0281_008.js926cf3cdd55d86b454f8be8b0d6b955ee1a2ccd0a4abcf5f139ec103fa1b5382 |
pdf-javascript-stream | PDF /JS object 281 at offset 0x26A6B | 126 bytes |
javascript_obj0290_012.js5e25bba5f6b5312b87ef6743447e84122a76cd39a8bdd0133fec6a657e6c3eb1 |
pdf-javascript-stream | PDF /JS object 290 at offset 0x27297 | 205 bytes |
javascript_obj0295_013.js8af349ae8967a0b7f34631b8648a42e9b34d21798b80282dcd7e27434fc0c527 |
pdf-javascript-stream | PDF /JS object 295 at offset 0x275E2 | 170 bytes |
javascript_obj0303_015.jscab154b6da11d7d0b45d0920327a806d8bf56d043c6fa2a608901027d91db8e6 |
pdf-javascript-stream | PDF /JS object 303 at offset 0x27A6A | 185 bytes |
javascript_obj0306_016.js594274cd6b32f918d2c3f15a687ba84c58412428687065407665a17e8fead889 |
pdf-javascript-stream | PDF /JS object 306 at offset 0x27BD8 | 124 bytes |
javascript_obj0309_018.js3c95597f1b2f2bc5b06ac180f43bc7fc0a5c5a6de141a59b39bea5ca3bb119d7 |
pdf-javascript-stream | PDF /JS object 309 at offset 0x27DD9 | 181 bytes |
javascript_obj0335_022.jse6e36f6e38c926691f21969a0d7fb2268c98ef85020917dcd024e278b4f0039d |
pdf-javascript-stream | PDF /JS object 335 at offset 0x28C66 | 37 bytes |
javascript_obj0337_023.js6b7cde5083353dc94a728e784406248df1e3c34b8a1b86c325dca7d6822fc92b |
pdf-javascript-stream | PDF /JS object 337 at offset 0x28D11 | 39 bytes |
javascript_obj0338_024.jsd7feabbe96d6239a4e68846c17660c84111cd34df235720909593806041f8a24 |
pdf-javascript-stream | PDF /JS object 338 at offset 0x28D62 | 42 bytes |
javascript_obj0339_025.js14fcc57d4b056d63fb33a92efd84e32a66b431b44e5337166c3096da27b790f8 |
pdf-javascript-stream | PDF /JS object 339 at offset 0x28DB6 | 95 bytes |
javascript_obj0029_026.jsd265003cd1286ce8769352a9cb6c9b57635111b0c7e91759a0181debd90c0c4a |
pdf-javascript-stream | PDF /JS object 29 at offset 0x4ECD | 8466 bytes |
javascript_obj0030_027.js88dc68cd966ff858e677470403a38a61bcb47488d1b761ed50a00c3b7a9406b7 |
pdf-javascript-stream | PDF /JS object 30 at offset 0x5754 | 952 bytes |
javascript_obj0031_028.js21801274edc8a68fe0e11f30cb00a3f5e4bb8b053c52a1e23be0b45d54b81809 |
pdf-javascript-stream | PDF /JS object 31 at offset 0x58E8 | 578 bytes |
javascript_obj0032_029.jse30d6f50a360b1ac8c5c52dc66de8d3b41312e01bc69bfbac5e50e1d4cd56fda |
pdf-javascript-stream | PDF /JS object 32 at offset 0x5A37 | 717 bytes |
javascript_obj0033_030.jse6673a21e70a4d52851c73414674c83469da90e044d6559f2e4ef1e4e133b2c1 |
pdf-javascript-stream | PDF /JS object 33 at offset 0x5B68 | 533 bytes |
javascript_obj0034_031.js752f0b7a859f987ea5e80ee86f489b4745ab1b6a42e27abc0f52051b22d1d5ef |
pdf-javascript-stream | PDF /JS object 34 at offset 0x5CAB | 1314 bytes |
javascript_obj0035_032.js8686763ad3c1fc2ed8bff47751007f8c20ef823bbec1dd623324200ade49f1ae |
pdf-javascript-stream | PDF /JS object 35 at offset 0x5EA6 | 1401 bytes |
javascript_obj0267_033.jsa2a439b9732bb3a85729e51b1778ea12baadd082b885bc030a45ae7e1001276f |
pdf-javascript-stream | PDF /JS object 267 at offset 0x25EDF | 818 bytes |
javascript_obj0270_034.jsfb438241b8ad4698fa9bc72c00aad8ec2d1ddaa321f62a8e66a416156c8a408f |
pdf-javascript-stream | PDF /JS object 270 at offset 0x26167 | 622 bytes |
javascript_obj0274_035.jsf0dfedd45eff80fa2ac1c6e76b1ce210248e27b36992e969dfa0c5148480e937 |
pdf-javascript-stream | PDF /JS object 274 at offset 0x2641C | 526 bytes |
javascript_obj0279_036.jsab7741c91f37a1a8351d44fef9a028ffbe48934b6094afe80920606bf92437f7 |
pdf-javascript-stream | PDF /JS object 279 at offset 0x266A1 | 6974 bytes |
javascript_obj0282_037.js4d5a574dbb90f338e73034cd32adf04eb15eb26fff00dd1b35a9d2f6debc02de |
pdf-javascript-stream | PDF /JS object 282 at offset 0x26B24 | 6988 bytes |
javascript_obj0289_038.jsb643171c59c7e717127d8fa98b029888c6360aca7b5b32535aa9953b64167b06 |
pdf-javascript-stream | PDF /JS object 289 at offset 0x2704D | 3078 bytes |
javascript_obj0294_039.js4e79786cae861bd04981e6512cfed209dcabcd03fb2a6c325fb59ec0e22ca2ab |
pdf-javascript-stream | PDF /JS object 294 at offset 0x2745D | 790 bytes |
javascript_obj0307_040.js8fbb4421f316cc049333315fd8a9251a84e4b6d1df33adb108f91d62220b1ba8 |
pdf-javascript-stream | PDF /JS object 307 at offset 0x27C8D | 345 bytes |
javascript_obj0312_041.jsa995a52c0f0b3774342bf7492a8da2b05c06b295c84961afcbe16b501a622017 |
pdf-javascript-stream | PDF /JS object 312 at offset 0x27F3E | 900 bytes |
javascript_obj0326_042.js0fe71e298e77900fc39690ba9e9f44e0fb4bc0cb29d5e6810bbf6197f6689394 |
pdf-javascript-stream | PDF /JS object 326 at offset 0x287E2 | 1131 bytes |
stream_039_off00031880.bin1a6eb421f83b12b29b2c429582a2539ef77f3c57f3a8587861371a7e1a09c079 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x31880 | 65536 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.