PDF malware analysis — malicious · 49d6208756181f64

MALICIOUS

PDF

30.0 KB

MD5: 853116ddfd89e51d62f75d95bf6f589a SHA-1: a16579d61e02d80c150fbbc45de41fcf760a6bcd SHA-256: 49d6208756181f645d3baf42cfccb55eb1802ae213174db979f34cae36b8645b

116 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell T1071.001 Web Protocols

The PDF file is encrypted and contains JavaScript, which is a common technique to hide malicious content. The presence of a UNC path (`\\\192.168.1.1\share\test.txt`) strongly suggests an attempt at NTLM credential theft, exploiting CVE-2018-4993 or similar vulnerabilities. The document body appears to be a screenshot lure, designed to trick users into interacting with a malicious element.

Heuristics 5

UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993

PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 30 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 15

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0017_000.js` `ff28f3cfec710601c3105f4ab8dfb7dfcc428f15b946e0d59965cd7175ab46ad`	pdf-javascript-stream	PDF /JS object 17 at offset 0x1239	86 bytes
`javascript_obj0018_001.js` `3814c1c1391bad04dbce2f5c42f6058e86478638e8194f04d37a6afae2a11869`	pdf-javascript-stream	PDF /JS object 18 at offset 0x141D	86 bytes
`javascript_obj0019_002.js` `bd4942d5bdf3984fb0e1757b38f912db87b7e51709d44cf1a9172e348873dd1b`	pdf-javascript-stream	PDF /JS object 19 at offset 0x1619	86 bytes
`javascript_obj0020_003.js` `3c7555d34e71812604396083054ad19490fd317b16990303edc6b652785c4a43`	pdf-javascript-stream	PDF /JS object 20 at offset 0x17EA	86 bytes
`javascript_obj0021_004.js` `f31615437e13d75187da4fbf4fcb2901c791401e100a64ec08dbaf8b107071f7`	pdf-javascript-stream	PDF /JS object 21 at offset 0x19D6	86 bytes
`javascript_obj0022_005.js` `7967abe3d0ab347ac8ed436a15ecf802f1ed4e6bc99c564c08990863d677047e`	pdf-javascript-stream	PDF /JS object 22 at offset 0x1BB4	86 bytes
`javascript_obj0023_006.js` `31628c1e6b91ef7efef8a5732d0e3272bcdbfcfbff9a33ae3ea183d79d889a7c`	pdf-javascript-stream	PDF /JS object 23 at offset 0x1D8B	86 bytes
`javascript_obj0024_007.js` `d567232dec548405bd608dfde2eb3a8861d78a10471524897bae8b059ae145e2`	pdf-javascript-stream	PDF /JS object 24 at offset 0x1F6B	86 bytes
`javascript_obj0025_008.js` `be13f42a4c0f524b6dadfa41d1d0181381ce5a9d32ab62a800c594890dd9ed5f`	pdf-javascript-stream	PDF /JS object 25 at offset 0x2149	86 bytes
`javascript_obj0026_009.js` `db6d43870bbc98f348bc9a87642fe86c636c16c25dd44a0d8bf78973f4366073`	pdf-javascript-stream	PDF /JS object 26 at offset 0x2310	86 bytes
`javascript_obj0027_010.js` `432606652c60370c0846ac0194af7f82583e64cb92c9f4cd58fac86fded490b2`	pdf-javascript-stream	PDF /JS object 27 at offset 0x24EA	86 bytes
`javascript_obj0028_011.js` `72be43a9fd4f2d5a9b17b961cff3e89aa9bcb1c0bc974545a3bc427534d4f9f5`	pdf-javascript-stream	PDF /JS object 28 at offset 0x26C7	86 bytes
`javascript_obj0029_012.js` `766ed32518c95ec24d17c24631f3c52d4abb136d42b800d9023352bbb317f964`	pdf-javascript-stream	PDF /JS object 29 at offset 0x2895	86 bytes
`javascript_obj0030_013.js` `9b617b356bf0d1e8cf4c3f8bf9447a161ff57f41febcb17b6cc4d37de2772cea`	pdf-javascript-stream	PDF /JS object 30 at offset 0x2A6A	86 bytes
`javascript_obj0031_014.js` `085f7cd73a48f8364309eba32a4c1efd765f0ae8faca53bc4465558cf290da71`	pdf-javascript-stream	PDF /JS object 31 at offset 0x2C4D	86 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.