SUSPICIOUS
26
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF file contains embedded JavaScript and multiple external URIs, with one pointing to 'https://www.nao.kz/'. The presence of embedded JavaScript and the high stream count suggest obfuscation or exploit delivery. The document body is heavily corrupted, preventing a clear understanding of its lure, but the embedded URI is a primary indicator of potential malicious intent.
Machine Learning
- Nyx PDF Classifier clean score 0.0041
Heuristics 4
-
TrueType bitmap font + active content — CVE-2023-26369 related info PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.nao.kz/ PDF link annotation
- http://www.nao.kz/In PDF document text
- https://bilimland.kz/In PDF document text
- http://smk.edu.kz/In PDF document text
- https://academia.kz/ru/course/1In PDF document text
- http://www.rc-dd.kz/In PDF document text
- https://www.nao.kz/����������%20������������%20������-����������������������%20��������������������%20������/%20������%20����������������������������/In PDF document text
- https://www.nao.kz/����������%20������������%20������-����������������������%20��������������������%20������/������%20����������������������������/In PDF document text
- http://ustazuni.kz/In PDF document text
- http://mugalimder.kz/In PDF document text
- http://bilimland.kz/In PDF document text
- http://abai.kz/In PDF document text
- http://bilimger.kz/In PDF document text
- http://ustaz.kz/In PDF document text
- http://sabaqtar.kz/kazaksh/In PDF document text
- http://bilimsite.kz/ustazIn PDF document text
- http://oqu-zaman.kz/In PDF document text
- http://tarbie.org/In PDF document text
- http://kazbilim-edu.kz/In PDF document text
- http://pedsovet.su/publ/42In PDF document text
- http://pedsovet.su/metodika/priemy/5673_metod_klaster_na_urokeIn PDF document text
- https://www.nao.kzPDF link annotation
- https://nao.kz/In PDF document text
- https://bilimland.kzIn PDF document text
- http://smk.edu.kzIn PDF document text
- https://www.nao.kz/����������In PDF document text
- http://ustazuni.kzIn PDF document text
- http://mugalimder.kzIn PDF document text
- http://bilimland.kzIn PDF document text
- http://abai.kz-In PDF document text
- http://bilimger.kz-In PDF document text
- http://ustaz.kzIn PDF document text
- http://oqu-zaman.kzIn PDF document text
- http://tarbie.orgIn PDF document text
- http://kazbilim-edu.kz-In PDF document text
- http://nao.kz/In PDF document text
- http://ped.kz/In PDF document text
- http://do.gendocs.ru/docs/index-206471.htmlIn PDF document text
- http://www.tarih-begalinka.kz/In PDF document text
- http://e-history.kz/In PDF document text
- http://bilimsite.kz/tarih/In PDF document text
- http://testcenter.kz/entrants/for-ent/In PDF document text
- http://www.world-history.ru/In PDF document text
- http://historic.ru/In PDF document text
- http://www.nnpcfk.kz/In PDF document text
- http://testcenter.kz/In PDF document text
- http://nao.kz/?lang=kzIn PDF document text
- http://u-s.kz/In PDF document text
- http://ustaz.kz/sait-bolimderi/file/1111-tusibek-g-adebiet-alemiIn PDF document text
- http://testent.ru/news/uroki_kazakhskogo_jazyka_v_russkoj_shkole/2010-08-06-288In PDF document text
+49 more URL(s)
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_016_off00035de7.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x35DE7 | 20160 bytes |
SHA-256: 163f3acbcde3d1d0a9fc7e85e7628848cbcd1aba33b164475dc925361e92805c |
|||
stream_189_off00375797.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x375797 | 229572 bytes |
SHA-256: 25ac8218e6362e2f88ddb2b90a9824d3d779208d1099bb539e561949a06a071a |
|||
stream_193_off003a8e8b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3A8E8B | 181544 bytes |
SHA-256: 5a33c5560b35ac78fc3ab6115b6e1aaa13036f646c2564bbc343ad2f6c3f8716 |
|||
stream_197_off003e2a00.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3E2A00 | 212396 bytes |
SHA-256: f9c4d94b880b88bb221532ae4e6b53752375a7b8bfbe5e115a4f7add33f8a174 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.