MALICIOUS
66
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
The PDF contains embedded JavaScript and an AcroForm button with an action trigger, indicating an attempt to execute code. The ML classifier flagged this PDF as malicious with high confidence. While the document body is heavily obfuscated, the presence of JavaScript and an external URI suggests a malicious intent to redirect the user to a potentially harmful site.
Machine Learning
- Nyx PDF Classifier malicious score 0.9626
Heuristics 6
-
JavaScript action low 2 related findings PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF JavaScript opens or fetches a remote URL/document low PDF_JS_REMOTE_DOC_FETCHEmbedded JavaScript calls app.openDoc() against a remote filesystem (cFS:'CHTTP'/'CFTP') or app.launchURL() to open an external / base64-encoded URL. This is the JS-driven remote-document / phishing-redirect technique — distinct from a /Launch file dropper. It exploits no CVE; the risk is where the URL leads.Matched line in script
if(app.viewerVersion<7) {this.openURL('https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',true);} else{app.launchURL('https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',true);}; -
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://upr.nutyseescmc/wd/v3V975A0 Referenced by PDF JavaScript
- https://www.automation.siemens.com/bilddb/index.aspx?objKey=G_NSA0_XX_93185Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=439&ci=460&cao=549Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=439&ci=497&cao=586Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=439&ci=3020&cao=3021Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=445&ci=495&cao=553Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=449&cao=538Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=455&cao=543Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=480&cao=566Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=489&cao=574Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=490&cao=576Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=491&cao=577Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=447&ci=498&cao=553Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=447&ci=454&cao=553Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=447&ci=474&cao=587Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=3151&ci=3152&cao=553Referenced by PDF JavaScript
- http://www.siemens.de/industrial-controls/catalogsReferenced by PDF JavaScript
- http://www.siemens.com/industrymallReferenced by PDF JavaScript
- http://support.automation.siemens.com/WW/CAXorder/default.aspx?lang=de&mlfb=3RV2917-5BA00Referenced by PDF JavaScript
- https://support.industry.siemens.com/cs/ww/de/ps/3RV2917-5BA00Referenced by PDF JavaScript
- http://www.automation.siemens.com/bilddb/cax_de.aspx?mlfb=3RV2917-5BA00&lang=deReferenced by PDF JavaScript
- https://www.automation.siemens.com/bilddb/index.aspx?objKey=G_NSA0_XX_93186Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
- http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
- http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
- http://ns.adobe.com/photoshop/1.0/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by PDF JavaScript
- http://www.iec.chReferenced by PDF JavaScript
- https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',trueReferenced by PDF JavaScript
- https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00Referenced by PDF JavaScript
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0051_000.js |
pdf-javascript-stream | PDF /JS object 51 at offset 0x1E4EE | 203 bytes |
SHA-256: f258ff8daef67a13a0519bed23f4f2b48214305cbbb1a1003ea3eed2417229f7 |
|||
Preview scriptFirst 1,000 lines of the extracted script
if(app.viewerVersion<7) {this.openURL('https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',true);} else{app.launchURL('https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',true);};
|
|||
icc_00_off00000059.icc |
pdf-icc-profile | PDF ICC profile at offset 0x59 | 3144 bytes |
SHA-256: 3f6d674174f3804eb0dabdac90ae17486e898c5063a66f861c116ea033da8301 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.