Malicious PDF — malware analysis report

Static analysis result for SHA-256 24ac059df2e84ae2…

MALICIOUS

PDF

171.7 KB Created: 273V].317q^343w277303014QQ,t Authoring application: 227030033n304j@2450375334]000i,313216376204375301262326013336034 (via 210<+X315e 253g335242v020006|)205255376207333) First seen: 2022-06-25
MD5: f544541f6731c64e16abe9d355907d16 SHA-1: 5fe74796ae8590d86e8aeee6f2bd9431bc08c9df SHA-256: 24ac059df2e84ae2b9ccf9957b10b950f39b2d499353473afd24277b825cf8ab
64 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 User Execution: Malicious Link T1059.001 PowerShell T1059.003 Windows Command Shell T1200 Hardware Add-in

The PDF is encrypted and contains a UNC path, indicating potential credential theft via NTLM relay (CVE-2018-4993). It also functions as an image-only lure, typical of phishing, with embedded URLs pointing to external websites. The combination of these factors suggests a malicious intent to exploit user interaction for compromise.

Machine Learning

  • Nyx PDF Classifier clean score 0.1494

Heuristics 4

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 171 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-conversa.com
    • http://www.ascomp-software.de/forum/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_033_off00007d93.bin
0c488f01075ad950b0e0c5ba43453b0b04db70c0b0f940548d4bdb4806084e66		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7D93 624780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.