PDF static analysis report

Static analysis result for SHA-256 f2977e40f5968572…

SUSPICIOUS

PDF

4.62 MB Created: 2019-08-29 16:29:57 +06:00 Authoring application: Microsoft® Word 2010 First seen: 2020-07-24
MD5: 91820c8e1d895cc2b2dfb9792da11638 SHA-1: 9ea7575d2a35da1cfa8c295c57ccb441c8ef5678 SHA-256: f2977e40f5968572c1dd9298755ffc50f59f208c8161d6203b046f81e2d232a8
26 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file contains embedded JavaScript and multiple external URIs, with one pointing to 'https://www.nao.kz/'. The presence of embedded JavaScript and the high stream count suggest obfuscation or exploit delivery. The document body is heavily corrupted, preventing a clear understanding of its lure, but the embedded URI is a primary indicator of potential malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0041

Heuristics 4

  • TrueType bitmap font + active content — CVE-2023-26369 related info CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.nao.kz/ PDF link annotation
    • http://www.nao.kz/In PDF document text
    • https://bilimland.kz/In PDF document text
    • http://smk.edu.kz/In PDF document text
    • https://academia.kz/ru/course/1In PDF document text
    • http://www.rc-dd.kz/In PDF document text
    • https://www.nao.kz/����������%20������������%20������-����������������������%20��������������������%20������/%20������%20����������������������������/In PDF document text
    • https://www.nao.kz/����������%20������������%20������-����������������������%20��������������������%20������/������%20����������������������������/In PDF document text
    • http://ustazuni.kz/In PDF document text
    • http://mugalimder.kz/In PDF document text
    • http://bilimland.kz/In PDF document text
    • http://abai.kz/In PDF document text
    • http://bilimger.kz/In PDF document text
    • http://ustaz.kz/In PDF document text
    • http://sabaqtar.kz/kazaksh/In PDF document text
    • http://bilimsite.kz/ustazIn PDF document text
    • http://oqu-zaman.kz/In PDF document text
    • http://tarbie.org/In PDF document text
    • http://kazbilim-edu.kz/In PDF document text
    • http://pedsovet.su/publ/42In PDF document text
    • http://pedsovet.su/metodika/priemy/5673_metod_klaster_na_urokeIn PDF document text
    • https://www.nao.kzPDF link annotation
    • https://nao.kz/In PDF document text
    • https://bilimland.kzIn PDF document text
    • http://smk.edu.kzIn PDF document text
    • https://www.nao.kz/����������In PDF document text
    • http://ustazuni.kzIn PDF document text
    • http://mugalimder.kzIn PDF document text
    • http://bilimland.kzIn PDF document text
    • http://abai.kz-In PDF document text
    • http://bilimger.kz-In PDF document text
    • http://ustaz.kzIn PDF document text
    • http://oqu-zaman.kzIn PDF document text
    • http://tarbie.orgIn PDF document text
    • http://kazbilim-edu.kz-In PDF document text
    • http://nao.kz/In PDF document text
    • http://ped.kz/In PDF document text
    • http://do.gendocs.ru/docs/index-206471.htmlIn PDF document text
    • http://www.tarih-begalinka.kz/In PDF document text
    • http://e-history.kz/In PDF document text
    • http://bilimsite.kz/tarih/In PDF document text
    • http://testcenter.kz/entrants/for-ent/In PDF document text
    • http://www.world-history.ru/In PDF document text
    • http://historic.ru/In PDF document text
    • http://www.nnpcfk.kz/In PDF document text
    • http://testcenter.kz/In PDF document text
    • http://nao.kz/?lang=kzIn PDF document text
    • http://u-s.kz/In PDF document text
    • http://ustaz.kz/sait-bolimderi/file/1111-tusibek-g-adebiet-alemiIn PDF document text
    • http://testent.ru/news/uroki_kazakhskogo_jazyka_v_russkoj_shkole/2010-08-06-288In PDF document text
    +49 more URL(s)

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_016_off00035de7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35DE7 20160 bytes
SHA-256: 163f3acbcde3d1d0a9fc7e85e7628848cbcd1aba33b164475dc925361e92805c
stream_189_off00375797.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x375797 229572 bytes
SHA-256: 25ac8218e6362e2f88ddb2b90a9824d3d779208d1099bb539e561949a06a071a
stream_193_off003a8e8b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3A8E8B 181544 bytes
SHA-256: 5a33c5560b35ac78fc3ab6115b6e1aaa13036f646c2564bbc343ad2f6c3f8716
stream_197_off003e2a00.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E2A00 212396 bytes
SHA-256: f9c4d94b880b88bb221532ae4e6b53752375a7b8bfbe5e115a4f7add33f8a174