Malicious PDF — malware analysis report

Static analysis result for SHA-256 277302bbcf1b6823…

MALICIOUS

PDF

1.1 KB First seen: 2026-05-10
MD5: 10ad4a309f157257ce4a83c544a4736d SHA-1: fd914b6a2aefa2c58eee3ee4ab01a473542e5d46 SHA-256: 277302bbcf1b682387851bbfd4a71d05fbd79e7c803f67377f9fa43823f0af71
208 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript, which in turn uses the unescape function to decode what appears to be shellcode. The JavaScript is obfuscated, making its exact behavior difficult to determine, but the presence of shellcode suggests an attempt to execute malicious code. The primary technique observed is the use of JavaScript to execute obfuscated code, likely as a first stage for a more complex payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader JavaScript heap-spray exploit (known CVE family) critical CVE related PDF_JS_KNOWN_CVE_HEAPSPRAY_FAMILY
    PDF JavaScript combines heap-spray staging (NOP-sled / shellcode nybble sled or a multi-kilobyte setTimeOut/setInterval launcher) with the removed Adobe Reader sink Collab.collectEmailInfo, associated with CVE-2007-5659. Benign documents never pair heap-spray with these long-removed APIs. The exact malformed argument is assembled at run time, so this attributes the exploit to a known pre-2011 Reader CVE family rather than the exact primitive.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
     /JS (
var shellcode = unescape("%u9090%u9090%u9090");
util.printf
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x2B4 137 bytes
SHA-256: ba1ea087be0fda44ab56d76cb851fa22ee6cd6e999696951e926216526720cb9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var shellcode = unescape("%u9090%u9090%u9090");
util.printf
spell.customDictionaryOpen
getAnnots
collab.collectEmailInfo
collab.getIcon
javascript_obj0007_001.js pdf-javascript-stream PDF /JS object 7 at offset 0x2B4 46 bytes
SHA-256: da6ac744f944fa459ae3f50ca1b36e6e210f85bd8b4036918efc87e83c407c6a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var shellcode = unescape("%u9090%u9090%u9090"

Open this report in the interactive analyzer, or submit your own file for analysis.