Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b0704d62bae37fe…

MALICIOUS

PDF

88.0 KB First seen: 2021-06-17
MD5: 1a71955e546d38a0f69bf7bdb247b09e SHA-1: 0bf085ac0635aae41690937728d35407d262c817 SHA-256: 5b0704d62bae37feaa23902a7948a7ddf098843b51a5d0106c32c2a884e619cc
114 Risk Score

🔏 Digital signature Signed

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a UNC path, indicating an attempt to exploit CVE-2018-4993 or CVE-2019-7089 for credential theft. The ML classifier also flagged the document as malicious with high confidence. While no scripts were directly extracted, the presence of a UNC path and the ML classification strongly suggest malicious intent, likely for credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9162

Heuristics 4

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Remote GoTo action high PDF_GOTO_REMOTE
    PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL \\127.0.0.1\test In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off00000abc.bin pdf-font-stream PDF embedded font (cff) at offset 0xABC 86093 bytes
SHA-256: 427af119e8f704848644710f5da65ea8d385162ce3d78bb774a2b0bda4893f95
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.45, consistent with packed or encrypted content.
font_01_sfnt_off0001096e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1096E 54236 bytes
SHA-256: 2f8ea1ecd6f45a38d53b2dd7ec3c8033b5a9e06c9ac1113c15e158de1637172a

Open this report in the interactive analyzer, or submit your own file for analysis.