Malicious PDF — malware analysis report

Heuristics 7

• UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
  PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
• Encrypted PDF carries /Js — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
  PDF declares /Encrypt and also references an executable trigger (/Js). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
• Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
  Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
• Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
  Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
• Unusually high stream count medium PDF_MANY_STREAMS
  PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
• PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE
  PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL http://www.peterszor.com

  • http://necsi.org:16080/postdocs/sayama/sdrs/java
  • http://www.foresight.org/nanorev/ecophagy.html
  • http://www.bitstorm.org/gameoflife
  • http://fourmillab.ch/documents/univac/pervade.html
  • http://www.skrenta.com
  • http://www.viruslist.com
  • http://www.virusbtn.com/resources/viruses/indepth/beagle.xml
  • http://viruslist.com/eng/viruslist.html?id=2836
  • http://www.x86.org/secrets/opcodes/salc.htm
  • http://www.virusbtn.com/old/OtherPapers/MSAV/
  • http://lslwww.epfl.ch/biowall/index.html
  • http://fourmilab.ch/documents/univac/animal.html
  • http://www.f-secure.com/v-descs/mquito.shtml
  • http://www.cs.uu.nl/people/markov/gmaker/doc.html
  • http://www.research.ibm.com/antivirus/timeline.htm
  • http://www.intel.com/design/PentiumIII/specupdt/24445349.pdf
  • http://www.computer.org/security/v1n5/j5cap.htm
  • http://cm.bell-labs.com/who/ken/trust.html
  • http://www.f-secure.com/v-descs/3apa3a.shtml
  • http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

Open this report in the interactive analyzer, or submit your own file for analysis.