PDF malware analysis — malicious · f7098a16b4cbaf57

MALICIOUS

PDF

818 B First seen: 2021-07-10

MD5: acbbb1b8d0a7a7d28bd4e8f5a921dee9 SHA-1: 7a65808da225cfebabd345e487f04576cae46156 SHA-256: f7098a16b4cbaf577193d08932a97feed612d52c5d6385191de1d8bebc913337

82 Risk Score

Malware Insights

MITRE ATT&CK

T1555.003 Credentials from Password Stores

The PDF file contains a UNC path, which is a known technique for credential theft via NTLM relay attacks (CVE-2018-4993). The 'PDF_GOTO_REMOTE' heuristic further indicates a remote action, likely intended to trigger the UNC path. No scripts were extracted, and the document body is generic, suggesting the primary malicious function is credential harvesting.

Machine Learning

Nyx PDF Classifier clean score 0.1047

Heuristics 3

UNC path in PDF — possible NTLM credential theft (CVE-2018-4993/CVE-2019-7089) high CVE likely CVE_2018_4993

PDF contains a UNC path (\\server\share) alongside action triggers — when a vulnerable viewer resolves this path, Windows may send NTLM credentials to the remote host as the matching PDF action is processed
Remote GoTo action high PDF_GOTO_REMOTE

PDF references an external document via GoToR/GoToE whose target is a URL, UNC path, or executable
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL \\172.26.212.43\test In PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.