CLEAN
6
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF file contains embedded TrueType fonts and active content, indicating it is related to CVE-2023-26369, a known PDF vulnerability. The presence of numerous external URIs, many pointing to Wikipedia and local Romanian websites, suggests a lure or redirection mechanism. While no scripts were extracted, the heuristic firings strongly suggest an exploit attempt within the PDF structure. The attack pattern is likely to exploit this vulnerability to download and execute a secondary payload.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4607
Heuristics 3
-
TrueType bitmap font + active content — CVE-2023-26369 related info PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.primm.ro/ In PDF document text
- http://www.cjgalati.ro/index.php/judeul-galaiIn PDF document text
- http://www.actedj.ro/In PDF document text
- https://statistici.insse.ro/shop/In PDF document text
- http://www.galati.insse.ro/main.php?id=455In PDF document text
- http://judete.biz/populatie-galati/In PDF document text
- http://www.recensamantromania.ro/rezultate-2/In PDF document text
- http://www.galati.insse.ro/main.phpIn PDF document text
- http://www.recensamantromania.ro/rezultate-2In PDF document text
- http://www.cjgalati.ro/index.php/informare-publica/patjgalatiIn PDF document text
- http://www.cjgalati.ro/index.php/informare-publica/patjgaIn PDF document text
- http://www.insse.ro/cms/files/Web_IDD_BD_ro/index.htmIn PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/pages/index.ro.doIn PDF document text
- http://www.adrse.ro/DezvoltareRegionala/DezvoltareRegionala.aspxIn PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/resource/r_t47_2011.htm?view=trueIn PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/resource/r_t38_2011.htm?view=trueIn PDF document text
- http://www.rga2010.djsct.roIn PDF document text
- http://www.silvagalati.ro/ro/directia-silvica-galatiIn PDF document text
- http://www.anpa.ro/index.php?v=download&id=214In PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/resource/In PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/resource/r_t35_2011.htm?view=trueIn PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/resource/r_t57_2011.htm?view=trueIn PDF document text
- http://www.portal-info.ro/sali_de_In PDF document text
- http://www.vivaclub.ro/ro.htmlIn PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/resource/r_t58_2011.htm?view=trueIn PDF document text
- http://www.primm.ro/)/Type/Action/S/URIIn PDF document text
- http://www.cjgalati.ro/index.php/judeul-galai)/Type/Action/S/URIIn PDF document text
- http://www.actedj.ro/)/Type/Action/S/URIIn PDF document text
- https://statistici.insse.ro/shop/)/Type/Action/S/URIIn PDF document text
- http://www.galati.insse.ro/main.php?id=455)/Type/Action/S/URIIn PDF document text
- http://www.galati.insse.ro/main.php)/Type/Action/S/URIIn PDF document text
- http://www.recensamantromania.ro/rezultate-2/)/Type/Action/S/URIIn PDF document text
- http://www.insse.ro/cms/files/Web_IDD_BD_ro/index.htm)/Type/Action/S/URIIn PDF document text
- http://www.adrse.ro/DezvoltareRegionala/DezvoltareRegionala.aspx)/Type/Action/S/URIIn PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/resource/r_t47_2011.htm?view=true)/Type/Action/S/URIIn PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/resource/r_t38_2011.htm?view=true)/Type/Action/S/URIIn PDF document text
- http://www.braila.insse.ro/cmsbraila/rw/resource/)/Type/Action/S/URIIn PDF document text
- http://www.portal-info.ro/sali_de_%20conferinta/locatie-galati-sali_de_%20conferinta%20-centrul_de_afaceri_dunarea-4457.html)/Type/Action/S/URIIn PDF document text
- http://www.tourismguide.ro/.../Galati/Galati/index.php)/Type/Action/S/URIIn PDF document text
- http://www.vegahotel.ro/)/Type/Action/S/URIIn PDF document text
- http://www.vivaclub.ro/ro.html)/Type/Action/S/URIIn PDF document text
- http://stone.bvau.ro/infoghid/index.php?title=Jude%C5%A3ul_Gala%C5%A3i&action=edit&redlink=1)/Type/Action/S/URIIn PDF document text
- http://stone.bvau.ro/infoghid/index.php?title=Jude%C5%A3ului_Gala%C5%A3i&action=edit&redlink=1)/Type/Action/S/URIIn PDF document text
- http://balabanesti.net/about-2/album-foto/)/Type/Action/S/URIIn PDF document text
- http://www.ghidulprimariilor.ro/list/cityHallDetails/PRIM%25C4%2582RIA%2BVINDEREI/123392)/Type/Action/S/URIIn PDF document text
- http://www.ghidulprimariilor.ro/list/cityHallDetails/PRIM%25C4%2582RIA%2BGRIVI%25C5%25A2A/123411)/Type/Action/S/URIIn PDF document text
- http://balabanesti.net/destine/personalitati/)/Type/Action/S/URIIn PDF document text
- http://stone.bvau.ro/infoghid/index.php/B%C4%83l%C4%83b%C4%83ne%C5%9Fti)/Type/Action/S/URIIn PDF document text
- http://www.ghidulprimariilor.ro/list/cityHallDetails/PRIM%25C4%2582RIA%2BTUTOVA/123389)/Type/Action/S/URIIn PDF document text
- http://www.ghidulprimariilor.ro/list/cityHallDetails/PRIM%25C4%2582RIA%2BPOCHIDIA/834944)/Type/Action/S/URIIn PDF document text
+291 more URL(s)
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_061_off00bc0e77.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xBC0E77 | 185528 bytes |
SHA-256: b966547d4e51e584b38b6685b203f6a7f61ce38b9d0e78365ea3f579a0fec3cf |
|||
stream_064_off008f2768.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8F2768 | 215040 bytes |
SHA-256: 75133ec4f426b3656fe242f62fb23b2b445f1bfbb217eea8da6268648e8a967d |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.