MALICIOUS
84
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1078.004 Abuse Elevation Control Mechanism: Sudo
T1203 Exploitation for Client Execution
The PDF contains a UNC path '\\127.0.0.1\test' which is indicative of an attempt to exploit CVE-2018-4993 or CVE-2019-7089 for NTLM credential theft. The presence of a remote GoTo action further suggests malicious intent to redirect the user or trigger an external resource. No scripts were extracted, and the document body was unreadable, limiting further analysis of the specific lure.
Machine Learning
- Nyx PDF Classifier clean score 0.0002
Heuristics 4
-
UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
-
Remote GoTo action high PDF_GOTO_REMOTEPDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL \\127.0.0.1\test In PDF document text
- http://www.iec.chIn PDF document text
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_001_off000005f2.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x5F2 | 663552 bytes |
SHA-256: e1905fe95f83d79c53c70f5a80dc056ab65775c370b487a9ba58272ebe4f2f14 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.84, consistent with packed or encrypted content.
|
|||
icc_00_off0009913a.icc |
pdf-icc-profile | PDF ICC profile at offset 0x9913A | 3144 bytes |
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e |
|||
font_00_sfnt_off00099f3a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x99F3A | 11452 bytes |
SHA-256: 5037e49aca1447505512b7addd0a5a866ba9c052aedbf182ea50a369cde09e5f |
|||
font_01_sfnt_off0009bbd1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9BBD1 | 19476 bytes |
SHA-256: 98dc32710cbd935d7495a599c4393ae726804cc20924c126e6de7d0e4857edf1 |
|||
font_02_sfnt_off0009f146.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9F146 | 31904 bytes |
SHA-256: 736f91bc43c686d1705608a48fea67fda6bb0b074131ff8ecded14f3e6ea5985 |
|||
font_03_sfnt_off000a498a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA498A | 24884 bytes |
SHA-256: c76ea6b69e8c2a4571707c36ffdb286b23822e7490bf2a36cb562654754618d5 |
|||
font_04_sfnt_off000a8b6e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA8B6E | 4252 bytes |
SHA-256: 88721113c9e18500081ed4b881641d381cc9205a0d16c556d4a6989fbc735ded |
|||
font_05_sfnt_off000a9a09.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA9A09 | 464 bytes |
SHA-256: 471ad5fdc8306f55aecebe8e2accdb554708cb74b3e451c8dea31bf7a0f85bb8 |
|||
font_06_sfnt_off000a9e38.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xA9E38 | 11452 bytes |
SHA-256: 32d1ba8b6ad108b07b37203f92eae2cce1ed79d372ad7cf3a95bc0cd9d1d8dc9 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.