Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7f63b55076a08f1…

MALICIOUS

PDF

249.9 KB
MD5: a78cc55a3586ce9ea1ec316ba791bd0f SHA-1: 895ff6892e0551e72be4cdf7fa9ba2b972b0a73e SHA-256: e7f63b55076a08f154769a5b0d9be9e0450a8e6e7af1e0a508d59e980622ace8
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF file contains embedded JavaScript and exploits CVE-2023-26369, indicated by the 'PDF_CVE_2023_26369_RELATED' heuristic. The embedded JavaScript, identified as 'stream_013_off0003de72.js', likely downloads and executes a second-stage payload from the external URI 'https://loanapproval.000webhostapp.com/'. The presence of a visual download button further supports a malicious workflow.

Heuristics 5

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_013_off0003de72.js
6a411c6cb5ae2c1b3b15c12ed955fa0f8db155570b6b9f9520a148e0c15309d9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3DE72 5832 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.