Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0375fb2448e91b4…

MALICIOUS

PDF

809.3 KB First seen: 2026-05-04
MD5: 2a42bf17393c3caaa663a6d1dade9c93 SHA-1: 2ba830e82d2efa6109350c7fbf500b41bd71a0e9 SHA-256: d0375fb2448e91b47b97f3fb132a6eafd04974da5496c55adb2bdb310e9f5ea3
76 Risk Score

🔏 Digital signature Signature invalid

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript streams and XFA form elements, indicating a potential for malicious code execution. The presence of JavaScript suggests an attempt to download and execute a second-stage payload or exploit a vulnerability within the PDF reader.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • PDF digital signature is cryptographically invalid medium PDF_SIGNATURE_INVALID
    A signature's CMS failed verification: either the signer's signature over the signed attributes is invalid, or the signed content digest does not match the bytes the ByteRange covers. The signature was tampered with, forged, or the signed content was altered.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/3.0/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.8/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/'/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off0006d90c.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6D90C 289498 bytes
SHA-256: dcefc16710d335e69f60cdd8a0e174d43939d02eaa8dd4c6d7ce4ca63f06495b

Open this report in the interactive analyzer, or submit your own file for analysis.