OK let me see if I've got this straight:
Let's say the NAT-enabled router receives a packet on the WAN side, and let's say that the destination port is 139. The NAT-enabled router will do the following:
1) Check its list of "inward pinholes" to see if the packet should be forwarded to a specified IP address on the LAN.
2) Check its list of "currently open sockets" to see if the packet should be forwarded to a particular IP address on the LAN.
So let's say, out of the blue, we randomly send a packet destined for port 139 to the WAN side of a NAT-enabled router. The router will check its "inward pinhole" list and then check its "currently open socket" list, and having found no match for port 139, it won't forward the packet onto the LAN. The packet will never reach the "victim computer".
What you're saying, if I understand you correctly, is as follows:
1) From the victim computer, you send a packet with source port 139 to the "malicious computer". When the NAT-enabled router sees this packet arrive on its LAN side, it will add an entry to its "currently open socket" list.
2) Now that there's an entry in the "currently open socket" list, we can communicate with port 139 on the victim computer.
Do I understand correctly?
One thing I just want to add, and I don't know whether you've considered this yet:
When the NAT-enabled router receives the packet on its LAN side with a source address of 139, it might forward on the packet giving it a different source address. For instance, it might receive a packet with source port of 139, and then forward it on as a packet with source port 1027. Then your malicious computer will have to send a packet to port 1027 on the WAN side of the NAT-enabled router, and this packet will be forwarded on to port 139 of the victim computer. This shouldn't be a problem so long as your malicious computer knows to respond on the same port number.