MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1078.004 Cloud Accounts
T1203 Exploitation for Client Execution
The PDF contains a UNC path \\10.0.0.1\test, which is a strong indicator of potential NTLM credential theft, likely exploiting CVE-2018-4993 or CVE-2019-7089. The presence of a remote GoTo action further suggests malicious intent to redirect the user or trigger an exploit. No scripts were extracted, but the document structure and heuristics point towards an attack focused on credential harvesting.
Machine Learning
- Nyx PDF Classifier clean score 0.0001
Heuristics 3
-
UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
-
Remote GoTo action high PDF_GOTO_REMOTEPDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL \\10.0.0.1\test In PDF document text
- http://www.microsoft.com0In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn PDF document text
- http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
- http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
- http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
- http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
- http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
- http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
- http://www.microsoft.com/TypographyIn PDF document text
- https://docs.microsoft.com/typography/abouthttp://www.typography.netMicrosoftIn PDF document text
- http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn PDF document text
- http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In PDF document text
- http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn PDF document text
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In PDF document text
- http://www.microsoft.com/PKI/docs/CPS/default.htm0@In PDF document text
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_010_off0002d2c7.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2D2C7 | 124764 bytes |
SHA-256: aa0f972a6c09bd8c5846933271d6df8bf430479cd28882cda32dbcfbf8232d9a |
|||
font_01_sfnt_off000380a7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x380A7 | 94484 bytes |
SHA-256: a77d52b0d2484dba3f3272254ec990605221008e5044d2cada2f007eb05d9e5b |
|||
font_02_sfnt_off0003f18d.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3F18D | 30628 bytes |
SHA-256: 8f374b66f70d0995582a237ccc60732052efaab847ce4a5dd6cb7c66cb04fd12 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.