Malicious PDF — malware analysis report

Static analysis result for SHA-256 3ffda15e825ce19c…

MALICIOUS

PDF

809.3 KB First seen: 2026-05-09
MD5: bdff26a7d9da744bd8fba827d1be1ba0 SHA-1: eb98eba40d436266e38ea24cc193eacce3cde006 SHA-256: 3ffda15e825ce19c0d49eab701e16529079e5929b3c5a3e3aa57b0c699ba5f59
78 Risk Score

🔏 Digital signature Signature invalid

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier strongly flags this PDF as malicious. The embedded JavaScript stream is the primary mechanism for executing malicious actions, likely involving the download and execution of a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 6

  • PDF digital signature is cryptographically invalid medium PDF_SIGNATURE_INVALID
    A signature's CMS failed verification: either the signer's signature over the signed attributes is invalid, or the signed content digest does not match the bytes the ByteRange covers. The signature was tampered with, forged, or the signed content was altered.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/3.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/'/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off0006d90c.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6D90C 289498 bytes
SHA-256: dcefc16710d335e69f60cdd8a0e174d43939d02eaa8dd4c6d7ce4ca63f06495b

Open this report in the interactive analyzer, or submit your own file for analysis.