Malicious PDF — malware analysis report

Static analysis result for SHA-256 79541f99d7411e23…

MALICIOUS

PDF

687.0 KB Created: 2021-10-26 14:04:36 UTC Authoring application: Word (via macOS Version 12.0.1 (Build 21A559) Quartz PDFContext) First seen: 2021-11-02
MD5: 06a0c1d800207fb78af0795f2741bafe SHA-1: c047b99062b440290cb77bfdb8df63ec78c8d2cf SHA-256: 79541f99d7411e2357c285315783be85bcbfe6b166156d42030a1707f1783770
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1078.004 Abuse Elevation Control Mechanism: Sudo T1203 Exploitation for Client Execution

The PDF contains a UNC path '\\127.0.0.1\test' which is indicative of an attempt to exploit CVE-2018-4993 or CVE-2019-7089 for NTLM credential theft. The presence of a remote GoTo action further suggests malicious intent to redirect the user or trigger an external resource. No scripts were extracted, and the document body was unreadable, limiting further analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 4

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Remote GoTo action high PDF_GOTO_REMOTE
    PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL \\127.0.0.1\test In PDF document text
    • http://www.iec.chIn PDF document text

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000005f2.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5F2 663552 bytes
SHA-256: e1905fe95f83d79c53c70f5a80dc056ab65775c370b487a9ba58272ebe4f2f14
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.84, consistent with packed or encrypted content.
icc_00_off0009913a.icc pdf-icc-profile PDF ICC profile at offset 0x9913A 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_sfnt_off00099f3a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x99F3A 11452 bytes
SHA-256: 5037e49aca1447505512b7addd0a5a866ba9c052aedbf182ea50a369cde09e5f
font_01_sfnt_off0009bbd1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9BBD1 19476 bytes
SHA-256: 98dc32710cbd935d7495a599c4393ae726804cc20924c126e6de7d0e4857edf1
font_02_sfnt_off0009f146.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9F146 31904 bytes
SHA-256: 736f91bc43c686d1705608a48fea67fda6bb0b074131ff8ecded14f3e6ea5985
font_03_sfnt_off000a498a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA498A 24884 bytes
SHA-256: c76ea6b69e8c2a4571707c36ffdb286b23822e7490bf2a36cb562654754618d5
font_04_sfnt_off000a8b6e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA8B6E 4252 bytes
SHA-256: 88721113c9e18500081ed4b881641d381cc9205a0d16c556d4a6989fbc735ded
font_05_sfnt_off000a9a09.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA9A09 464 bytes
SHA-256: 471ad5fdc8306f55aecebe8e2accdb554708cb74b3e451c8dea31bf7a0f85bb8
font_06_sfnt_off000a9e38.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA9E38 11452 bytes
SHA-256: 32d1ba8b6ad108b07b37203f92eae2cce1ed79d372ad7cf3a95bc0cd9d1d8dc9