Malicious PDF — malware analysis report

Static analysis result for SHA-256 ce2627e847a23891…

MALICIOUS

PDF

856 B First seen: 2022-07-02
MD5: 9fed251bfb0104d7692eacca25900dcc SHA-1: bc2c78c3c5dc538504a0d54738dd1b5e29822a1a SHA-256: ce2627e847a238913fbbb3c401705f684c1891b88acb5e004fe83b449134000f
82 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.1047

Heuristics 3

  • UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993
    PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
  • Remote GoTo action high PDF_GOTO_REMOTE
    PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL \\fh0ls85szbsb3lkpcdvjgxkbm2stgi.burpcollaborator.net\test In PDF document text