Malicious PDF — malware analysis report

Static analysis result for SHA-256 30c427461dacb832…

MALICIOUS

PDF

32.6 KB
MD5: 44deba917d3a1fa6c69aedbd9cf0a3b4 SHA-1: 3c069a064ac697634b88456bc2317676015bfe07 SHA-256: 30c427461dacb832f1c6fe0033bfbbf51fc512f84fad083a3fc8e75d63afd3b4
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link T1071.001 Web Protocols

The PDF is heavily obfuscated and encrypted, with a JavaScript action designed to hide its true payload. It utilizes a screenshot lure, a common phishing technique to trick users into interacting with malicious content. The presence of a UNC path suggests an attempt at credential theft via NTLM relay, exploiting CVE-2018-4993 or similar vulnerabilities. No specific malware family could be confidently identified due to the obfuscation.

Heuristics 5

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 32 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
4529af49a91cd0d233f3947d4700985b27b9453597c718eebf73d2bff3638cd1		 pdf-javascript-stream PDF /JS object 17 at offset 0x1220 76 bytes
javascript_obj0018_001.js
16e6783f74ba99db1ba62133b4af800648d11efa04bca9b3e1226320a6da2b15		 pdf-javascript-stream PDF /JS object 18 at offset 0x13E2 76 bytes
javascript_obj0019_002.js
4ee33ecdcd299c90c0af0d5155df7d8bf8118cab89543794d2da727dea3a9021		 pdf-javascript-stream PDF /JS object 19 at offset 0x158D 76 bytes
javascript_obj0020_003.js
998532975c049742c0518c6da6d29a76c3d14c8a49b7db4c4d18f0fa6fdd511e		 pdf-javascript-stream PDF /JS object 20 at offset 0x173A 76 bytes
javascript_obj0021_004.js
985dec09164dde900f8c2282aa16290625d86bbbc4ac6d3279dc4aa2768afcb5		 pdf-javascript-stream PDF /JS object 21 at offset 0x1901 76 bytes
javascript_obj0022_005.js
912843da0c963431989382f963abdfa96bc3cbe09ccdd37c64dc291fb3dea172		 pdf-javascript-stream PDF /JS object 22 at offset 0x1AB8 76 bytes
javascript_obj0023_006.js
c4c6ce7b217c6462d98f18a91027a128578bc8b29abe55cc55beebf461cb4567		 pdf-javascript-stream PDF /JS object 23 at offset 0x1C73 76 bytes
javascript_obj0024_007.js
1acf93ec75201a8f2f41b6ade13ee6666debee16d2334aaf4c2c0d6df49de29b		 pdf-javascript-stream PDF /JS object 24 at offset 0x1E25 76 bytes
javascript_obj0025_008.js
65419e4cb717035cc14870be8d2fde4c1e4cedf38cac072efa55ea648f52006e		 pdf-javascript-stream PDF /JS object 25 at offset 0x1FCB 76 bytes
javascript_obj0026_009.js
dbf2eb47392c28e117026f717058180ff9da029835a1341864b23042b3ce639c		 pdf-javascript-stream PDF /JS object 26 at offset 0x2194 76 bytes
javascript_obj0027_010.js
49166c6d466b829c2ea90d7470b12b00ee1e284a24556f54ca24174fb907813a		 pdf-javascript-stream PDF /JS object 27 at offset 0x2348 76 bytes
javascript_obj0028_011.js
48d3922e791df1ea52faa0a6e768260ea7c2b64465c3242baf66237e88f0f3d4		 pdf-javascript-stream PDF /JS object 28 at offset 0x2520 76 bytes
javascript_obj0030_012.js
4998c838d830782394978017a954ed9975d56c739cb43852a628658ae7fe685e		 pdf-javascript-stream PDF /JS object 30 at offset 0x27D7 84 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.