Malicious PDF — malware analysis report

Static analysis result for SHA-256 93090e76cb174b57…

MALICIOUS

PDF

274.4 KB Created: 2021-09-20 10:50:34 +05:30 Authoring application: Microsoft® Word for Microsoft 365 First seen: 2021-09-24
MD5: e5bb349887c86030dd5a144e11fd6057 SHA-1: fe6b9a8317b3b3d06240096445021d0cc9473dfc SHA-256: 93090e76cb174b57248950f6b72769e11c53d76db10fe73a7a641d8560453822
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1078.004 Cloud Accounts T1203 Exploitation for Client Execution

The PDF contains a UNC path \\10.0.0.1\test, which is a strong indicator of potential NTLM credential theft, likely exploiting CVE-2018-4993 or CVE-2019-7089. The presence of a remote GoTo action further suggests malicious intent to redirect the user or trigger an exploit. No scripts were extracted, but the document structure and heuristics point towards an attack focused on credential harvesting.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 3

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Remote GoTo action high PDF_GOTO_REMOTE
    PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL \\10.0.0.1\test In PDF document text
    • http://www.microsoft.com0In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • https://docs.microsoft.com/typography/abouthttp://lucasfonts.comMicrosoftIn PDF document text
    • http://en.wikipedia.org/wiki/MIT_LicenseIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0XIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0In PDF document text
    • http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0aIn PDF document text
    • http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0TIn PDF document text
    • http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^In PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0��In PDF document text
    • http://www.microsoft.com/pkiops/docs/primarycps.htm0@In PDF document text
    • http://www.microsoft.com/TypographyIn PDF document text
    • https://docs.microsoft.com/typography/abouthttp://www.typography.netMicrosoftIn PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0ZIn PDF document text
    • http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0ZIn PDF document text
    • http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0��In PDF document text
    • http://www.microsoft.com/PKI/docs/CPS/default.htm0@In PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off0002d2c7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D2C7 124764 bytes
SHA-256: aa0f972a6c09bd8c5846933271d6df8bf430479cd28882cda32dbcfbf8232d9a
font_01_sfnt_off000380a7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x380A7 94484 bytes
SHA-256: a77d52b0d2484dba3f3272254ec990605221008e5044d2cada2f007eb05d9e5b
font_02_sfnt_off0003f18d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3F18D 30628 bytes
SHA-256: 8f374b66f70d0995582a237ccc60732052efaab847ce4a5dd6cb7c66cb04fd12