Malicious PDF — malware analysis report

Static analysis result for SHA-256 405acaa6e5e054a5…

MALICIOUS

PDF

22.2 KB Created: 2021-07-28 11:10:50 +03:10 Authoring application: WPS 文字
MD5: 62e56c6c2ee00469791b9ae9de9d1101 SHA-1: 60901b9e2d4253a8745a0dd5f2dafcbbc2340ff4 SHA-256: 405acaa6e5e054a5ac40fcf43d14ddb8af90be61903ec53a6d03a87f48bd8ae5
80 Risk Score

Malware Insights

MITRE ATT&CK
T1557.001 Man-in-the-Middle: Drive-by Compromise T1078.001 Valid Accounts: Default Accounts T1203 Exploitation for Client Execution

The PDF contains a UNC path, identified by the CVE_2018_4993 heuristic, which is a strong indicator of an attempt to capture NTLM credentials. The presence of a remote GoTo action further suggests malicious intent, likely to redirect the user or trigger an exploit. While no scripts were extracted, the UNC path itself serves as a critical IOC for potential credential harvesting.

Machine Learning

  • Nyx PDF Classifier clean score 0.0058

Heuristics 2

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Remote GoTo action high PDF_GOTO_REMOTE
    PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000007e4.bin
699b051d11f865a2abf62007ffe6d588101b40d6aabb14904217c5065c19a9f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E4 72904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.