Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac3ffe8228e1e51f…

MALICIOUS

PDF

809.3 KB First seen: 2015-09-16
MD5: 0a440c27999d1777ea07ce16471a2920 SHA-1: d5502fe64e8aa39e44ea9c23085148d5affbad91 SHA-256: ac3ffe8228e1e51f1d462556b859ed7da1b67370e5e2d47d79de9f600d628b9a
76 Risk Score

🔏 Digital signature Signature invalid

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file triggered multiple heuristics related to embedded JavaScript and XFA forms, with a high confidence ML classifier flagging it as malicious. The presence of embedded JavaScript streams suggests an attempt to execute code, likely for malicious purposes such as exploiting vulnerabilities or downloading further stages. The ML classifier's high score strongly indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF digital signature is cryptographically invalid medium PDF_SIGNATURE_INVALID
    A signature's CMS failed verification: either the signer's signature over the signed attributes is invalid, or the signed content digest does not match the bytes the ByteRange covers. The signature was tampered with, forged, or the signed content was altered.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xci/3.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.8/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off0006d90c.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6D90C 289498 bytes
SHA-256: dcefc16710d335e69f60cdd8a0e174d43939d02eaa8dd4c6d7ce4ca63f06495b