Malicious PDF — malware analysis report

Static analysis result for SHA-256 f64c4cf99fa35f96…

MALICIOUS

PDF

473.8 KB Created: 2007-01-17 14:31:39 +09:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 8.1.0 (Windows))
MD5: a6f3db8e528693253b1eb6c14508709a SHA-1: 18ef60fc59eadf4393dd99760a21df576cccd977 SHA-256: f64c4cf99fa35f96dcdf7f0657e98fc108348c927a377f7f64eadd9cb4e50089
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and is flagged as related to CVE-2023-26369, indicating it likely exploits this vulnerability. The embedded JavaScript is designed to be executed when the PDF is opened, potentially leading to further malicious activity. The presence of embedded files suggests a downloader or dropper functionality.

Heuristics 5

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
i_25026000000uf.xls
7eab32c9e7bc4b4a646aa701ea1a8596ab5e50110d722c292284b37d5c3adb8f		 pdf-embedded-file PDF EmbeddedFile object 195 at offset 0x663B3 38400 bytes
i_20Oimz_h.xls
fa2a811abff44e7ff740e4e8454584c6901d83b097a6a7fb687946fb46d8ba47		 pdf-embedded-file PDF EmbeddedFile object 194 at offset 0x6859F 20480 bytes
jni_i_20250260d0O_.doc
653325ef079d6782ec6de1bc2e0e554714edd9614c21a712a6ab9b0d86b03fed		 pdf-embedded-file PDF EmbeddedFile object 193 at offset 0x69330 270848 bytes
javascript_obj0214_000.js
0d9c2983dfe6b647a9f964ec7be89adcc8068d5bccabfc665c0a9e4291ff715d		 pdf-javascript-stream PDF /JS object 214 at offset 0x7483A 2232 bytes
stream_003_off0000551b.bin
2b8fd4bfd93ff1ef6e1a3040f6192717cbf83452cd90b0f1e4709fede5ccb7a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x551B 420844 bytes
stream_005_off00034a37.bin
fa05a67a11b580e83af5082bf0446bbdfa0b37e1647c6b47b0cf2f1137a8fee1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34A37 235780 bytes
icc_00_off00044f6b.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x44F6B 3144 bytes
font_00_sfnt_off00002275.bin
e139a878034af2232d1e430c5aabf24288c630c0ef08b7134b153750f31b4dbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2275 14752 bytes
font_03_sfnt_off00052cdd.bin
028157c4137d8b8b13fe664868e508f35789690b94ab6048e611ce74cf682506		 pdf-font-stream PDF embedded font (sfnt) at offset 0x52CDD 186240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.