CLEAN
6
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious Link
T1566.002 Spearphishing Attachment
The PDF file contains a heuristic indicating it is related to CVE-2023-26369, a known vulnerability for PDF exploitation. It also contains an external URI pointing to 'http://raup.irooo.ru/', which is likely the malicious destination. The document body is heavily obfuscated and does not provide clear textual lures, but the presence of the exploit and the external URL strongly suggest a malicious redirection attempt.
Machine Learning
- Nyx PDF Classifier clean score 0.0725
Heuristics 3
-
TrueType bitmap font + active content — CVE-2023-26369 related info PDF_CVE_2023_26369_RELATEDPDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://raup.irooo.ru PDF link annotation
- http://raup.irooo.ru/forum/izobrazitelnoe-iskusstvoIn PDF document text
- http://omsklib.ru/ElektronnayaIn PDF document text
- http://admomsk.ruIn PDF document text
- http://www.otvoyna.ru/geroy.htmIn PDF document text
- http://www.warheroes.ru/towns.aspIn PDF document text
- http://��������������55.����/dokumenty/pamyatniki-omska/In PDF document text
- http://www.omsklib.ru/pamyatniki/soderzch.htmIn PDF document text
- http://www.uchportfolio.ru/s9389235641/?page=19858In PDF document text
- http://www.pomnivoinu.ru/home/tag/45/In PDF document text
- http://ped-kopilka.ru/shkolnye-prazdniki/den-pobedy/deti-geroi-velikoi-In PDF document text
- http://allforchildren.ru/songs/vov.phpIn PDF document text
- http://www.muz-urok.ru/tex_pesen3.htmIn PDF document text
- http://www.9maya.ru/2012/02/06/pesnya-den-pobedy-istoriya-tekst-In PDF document text
- https://www.classic-music.ru/In PDF document text
- http://www.imagechef.com/ic/ru/word_mosaic/In PDF document text
- http://rebus1.comIn PDF document text
- http://puzzlecup.com/crossword-ruIn PDF document text
- http://www.armoredpenguin.com/wordsearchIn PDF document text
- https://anagram.poncy.ruIn PDF document text
- http://www.cbook.ru/peoples/In PDF document text
- http://jivopis.ru/gallery/In PDF document text
- http://www.worldarthistory.com/In PDF document text
- http://rusarh.ru/In PDF document text
- http://www.archi-tec.ruIn PDF document text
- http://www.museum-online.ruIn PDF document text
- http://www.impressionism.ruIn PDF document text
- http://www.arthistory.ru/In PDF document text
- http://www.hellados.ru/In PDF document text
- http://urok-kultury.ru/category/iskusstvo-mxk/In PDF document text
- http://www.artprojekt.ruIn PDF document text
- http://www.smirnova.net/In PDF document text
- http://mifolog.ru/In PDF document text
- http://fashion.artyx.ru/In PDF document text
- http://www.encspb.ruIn PDF document text
- http://www.greekroman.ruIn PDF document text
- https://www.classic-music.ruIn PDF document text
- http://www.hermitage.ruIn PDF document text
- http://www.rusmuseum.ruIn PDF document text
- http://www.shm.ruIn PDF document text
- http://www.tretyakov.ruIn PDF document text
- http://www.artline.ruIn PDF document text
- http://www.muar.ruIn PDF document text
- http://roerich-museum.ruIn PDF document text
- http://www.kemet.ruIn PDF document text
- http://www.russianculture.ruIn PDF document text
- https://www.rki-omgpu.com/In PDF document text
- http://raup.irooo.ru/PDF link annotation
- http://omsklib.ru/files/news/our_izdania/2019/kzd-2020.pdfIn PDF document text
- http://omsklib.ru/Elektronnaya_bibliotekaIn PDF document text
+111 more URL(s)
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_104_off00502dee.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x502DEE | 196676 bytes |
SHA-256: 1ae49ee2ab157e75d032457eb51c1096b7f833b211e069630cdcecd3c3760458 |
|||
stream_106_off0051af4c.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x51AF4C | 237096 bytes |
SHA-256: e3b007b9536c0287eabfc1c71c683ec0fc002f86a00c85abd474587a962b71a3 |
|||
stream_108_off0053879d.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x53879D | 266596 bytes |
SHA-256: e1c8c041895c61e7677c3f8960a3a32263e95bdf2e8d4ba3d7d564561f8e49bf |
|||
stream_112_off0056e7ce.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x56E7CE | 273980 bytes |
SHA-256: 5a99e543cc8a6d3e60bd2e73d2f1240ec7b3377fa0cc020733315fb9b4b28860 |
|||
stream_119_off005a217b.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5A217B | 53356 bytes |
SHA-256: 5998c5d2033a483dd08e9b933a9687c5b6eeb8bd43691631760d98f5fbffa56f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.