Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d38c3d70656a86d…

MALICIOUS

PDF

239.6 KB Created: 2017-02-24 13:52:02 +01:00 Authoring application: iTextSharp’ 5.5.2 ©2000-2014 iText Group NV (Siemens AG; licensed version) First seen: 2026-05-07
MD5: 16e027372ecadaa542c3b704b4b02b57 SHA-1: 4bc9ac0ecc6413edccb5c20f1a1a74e47ca56f07 SHA-256: 9d38c3d70656a86dde9422713bdd211fa2041ba0e2deb966b0f3ff9892c4d4b5
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript and an AcroForm button with an action trigger, indicating an attempt to execute code. The ML classifier flagged this PDF as malicious with high confidence. While the document body is heavily obfuscated, the presence of JavaScript and an external URI suggests a malicious intent to redirect the user to a potentially harmful site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9626

Heuristics 6

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript opens or fetches a remote URL/document low PDF_JS_REMOTE_DOC_FETCH
    Embedded JavaScript calls app.openDoc() against a remote filesystem (cFS:'CHTTP'/'CFTP') or app.launchURL() to open an external / base64-encoded URL. This is the JS-driven remote-document / phishing-redirect technique — distinct from a /Launch file dropper. It exploits no CVE; the risk is where the URL leads.
    Matched line in script
    if(app.viewerVersion<7) {this.openURL('https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',true);} else{app.launchURL('https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',true);};
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://upr.nutyseescmc/wd/v3V975A0 Referenced by PDF JavaScript
    • https://www.automation.siemens.com/bilddb/index.aspx?objKey=G_NSA0_XX_93185Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=439&ci=460&cao=549Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=439&ci=497&cao=586Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=439&ci=3020&cao=3021Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=445&ci=495&cao=553Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=449&cao=538Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=455&cao=543Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=480&cao=566Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=489&cao=574Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=490&cao=576Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=446&ci=491&cao=577Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=447&ci=498&cao=553Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=447&ci=454&cao=553Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=447&ci=474&cao=587Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/WW/de/ps/3RV2917-5BA00/Certificate?ct=3151&ci=3152&cao=553Referenced by PDF JavaScript
    • http://www.siemens.de/industrial-controls/catalogsReferenced by PDF JavaScript
    • http://www.siemens.com/industrymallReferenced by PDF JavaScript
    • http://support.automation.siemens.com/WW/CAXorder/default.aspx?lang=de&mlfb=3RV2917-5BA00Referenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/ww/de/ps/3RV2917-5BA00Referenced by PDF JavaScript
    • http://www.automation.siemens.com/bilddb/cax_de.aspx?mlfb=3RV2917-5BA00&lang=deReferenced by PDF JavaScript
    • https://www.automation.siemens.com/bilddb/index.aspx?objKey=G_NSA0_XX_93186Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#Referenced by PDF JavaScript
    • http://purl.org/dc/elements/1.1/Referenced by PDF JavaScript
    • http://ns.adobe.com/photoshop/1.0/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/mm/Referenced by PDF JavaScript
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by PDF JavaScript
    • http://www.iec.chReferenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',trueReferenced by PDF JavaScript
    • https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0051_000.js pdf-javascript-stream PDF /JS object 51 at offset 0x1E4EE 203 bytes
SHA-256: f258ff8daef67a13a0519bed23f4f2b48214305cbbb1a1003ea3eed2417229f7
Preview script
First 1,000 lines of the extracted script
if(app.viewerVersion<7) {this.openURL('https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',true);} else{app.launchURL('https://support.industry.siemens.com/cs/ww/de/pv/3RV2917-5BA00',true);};
icc_00_off00000059.icc pdf-icc-profile PDF ICC profile at offset 0x59 3144 bytes
SHA-256: 3f6d674174f3804eb0dabdac90ae17486e898c5063a66f861c116ea033da8301