Malicious PDF — malware analysis report

Heuristics 5

• LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
  Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
• Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
  Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
• Unusually high stream count medium PDF_MANY_STREAMS
  PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
• External URI info PDF_URI
  PDF contains an external URL action
• Embedded URL info EMBEDDED_URL
  One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
  URL https://github.com/BishopFox/sliver

  • https://github.com/BishopFox/
  • https://sliver.sh/install
  • https://github.com/BishopFox/sliver/wiki/Port-Forwarding
  • https://github.com/BishopFox/sliver/releases/tag/v1.1.0
  • https://github.com/sliverarmory/armory
  • https://github.com/skelsec/pypykatz
  • https://github.com/GhostPack/Rubeus
  • https://github.com/gentilkiwi/mimikatz
  • https://adsecurity.org/?p=1729
  • https://github.com/salesforce/jarm
  • https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/
  • https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008
  • https://www.cybereason.com/blog
  • https://www.cybereason.com/blog/category/all
  • https://www.cybereason.com/blog/category/research
  • https://www.cybereason.com/blog/category/podcasts
  • https://www.cybereason.com/blog/category/webinars
  • https://www.cybereason.com/blog/category/resources
  • https://www.cybereason.com/blog/category/videos
  • https://www.cybereason.com/blog/category/news
  • https://www.cybereason.com/
  • https://www.cybereason.com/request-a-demo
  • https://attack.mitre.org/tactics/TA0011/
  • https://attack.mitre.org/tactics/TA0002/
  • https://attack.mitre.org/techniques/T1059/003/
  • https://attack.mitre.org/tactics/TA0004/
  • https://attack.mitre.org/techniques/T1548/002/
  • https://attack.mitre.org/techniques/T1134/
  • https://attack.mitre.org/tactics/TA0005/
  • https://attack.mitre.org/techniques/T1055/
  • https://attack.mitre.org/tactics/TA0008/
  • https://attack.mitre.org/techniques/T1569/002/
  • https://attack.mitre.org/techniques/T1571/
  • https://attack.mitre.org/techniques/T1090/
  • https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf
  • https://www.proofpoint.com/uk/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity
  • https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity
  • https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control
  • https://en.wikipedia.org/wiki/DMZ_\(computing\
  • https://0x00-0x00.github.io/research/2018/10/31/How-to-bypass-UAC-in-newer-Windows-versions.html
  • https://www.wireguard.com/
  • http://attack.mitre.org/techniques/T1548/002/
  • https://attack.mitre.org/techniques/T1218/003/
  • https://attack.mitre.org/techniques/T1550/003/
  • https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a/
  • https://ti.defender.microsoft.com/articles/b1406335
  • https://www.cybereason.com/blog/ttp-briefing-q4-2025
  • https://www.cybereason.com/blog/fake-installer-valleyrat
  • https://www.cybereason.com/blog/identity-beyond-2026-incident-response-predictions

  +30 more URL(s)

Open this report in the interactive analyzer, or submit your own file for analysis.