PDF malware analysis — malicious · b7f05d08e2ce1984

MALICIOUS

PDF

286.2 KB Created: 2010-05-06 10:29:30 -05:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 8.2.2 (Windows))

MD5: a53fcf8a58b2cfaf83b88466334cc6b8 SHA-1: 4ffcb33191b3e16f89c5cf6adbfdbb81d1f8e5bf SHA-256: b7f05d08e2ce198469de641b986786ba13d316317471a654b132e45911678be8

92 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1557.001 Adversary-in-the-Middle

The PDF contains JavaScript actions and embedded JS streams, indicating malicious intent. A high-severity heuristic fired for a UNC path, strongly suggesting an attempt at credential theft via NTLM relay (CVE-2018-4993/CVE-2019-7089). The document also uses invoice and callback lures, further supporting a phishing or social engineering attack pattern. No specific malware family could be identified.

Heuristics 7

UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993

PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Fake invoice / payment lure low SE_INVOICE_LURE

Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0052_000.js` `edc81df06236f4f7f78ad6c2ad7367f010516682b9b95cf24321c54c44a61f34`	pdf-javascript-stream	PDF /JS object 52 at offset 0x3B233	42 bytes
`javascript_obj0151_008.js` `1d03a107e45160304b614e4ae31a0dc575017e5d6e59414bb8916127c3277507`	pdf-javascript-stream	PDF /JS object 151 at offset 0x413A7	39 bytes
`javascript_obj0152_009.js` `bf6e5cec6b360b670b6bd2c73336d76c35e5f2336d421386785389d70cf8237a`	pdf-javascript-stream	PDF /JS object 152 at offset 0x413F8	42 bytes
`javascript_obj0169_010.js` `a38c01daa8a2de78b2151ee01d1c69e81170452d881008dd1b45953b3c94a808`	pdf-javascript-stream	PDF /JS object 169 at offset 0x42166	39 bytes
`icc_00_off00040467.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x40467	3144 bytes
`font_00_sfnt_off00036d62.bin` `6b83615bba274ead991695f869cc71393179f28d0afcdb31489087dd46f2f6be`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x36D62	12240 bytes
`font_01_sfnt_off000387b2.bin` `065d7c4e59c6611524d5a4e6af76ac6f45a811718dcd58fd01b89d5e29f12b6e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x387B2	5172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.