Malicious PDF — malware analysis report

Static analysis result for SHA-256 f91d503e3752813e…

MALICIOUS

PDF

412.0 KB Created: D072202407251519330530304700047 Authoring application: 376377000M000i000c000r000o000s000o000f000t000256000 000W000o000r000d000 0002000000010006
MD5: 73196974eaed5465a8ec5da7e8259826 SHA-1: ce74afaa768343bb61aa2f6f15f9d6bd82971150 SHA-256: f91d503e3752813ecc0f4766140e94e4cdcdb488c81df38dab786aa2ccdfaf2e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript and an AcroForm button with an action trigger, indicating an attempt to execute code. The presence of TrueType bitmap font data alongside active content strongly suggests exploitation of CVE-2023-26369. The ML classifier also flagged this PDF as malicious with high confidence. No specific family could be identified, but the exploit and embedded script point to a malicious PDF dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9598

Heuristics 4

  • TrueType bitmap font + active content — CVE-2023-26369 related high CVE related PDF_CVE_2023_26369_RELATED
    PDF embeds a TrueType font with bitmap tables (EBDT/sbix/CBDT) alongside exploit delivery indicators — CVE-2023-26369 exploits the sfac_GetSbitBitmap function in Adobe's libCoolType for arbitrary code execution. This CVE was actively exploited in the wild, but this rule does not validate the malformed EBLC/EBDT primitive.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0044_000.js
aa47cc28ae97941c3c7bd4d80fd3c5bd41f322dab44d42bbed4dac8ab1d7f886		 pdf-javascript-stream PDF /JS object 44 at offset 0x66A3A 121 bytes
font_00_sfnt_off0000bc0b.bin
90993ae13553eca3aa71e2f844dd3073c47ab2e0912cf54fe26250fd4973c8d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBC0B 558232 bytes
font_01_sfnt_off0003a644.bin
77cb77f81d888cb3d17ee3188d7905c93583131ce7160c3a2289b35ec293b482		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A644 541140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.