Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a967ea09303a816…

MALICIOUS

PDF

1.3 KB First seen: 2026-05-08
MD5: 59225021f7cfbe642ccc3175947ec482 SHA-1: 7a74d8f71afa3a682645061dcf35db28fb456b2e SHA-256: 2a967ea09303a816abdfc90b91df1653699a8cbbf47348e9ec8c0990746ed78f
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF document contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream includes an eval() call, which is a high-severity finding (PDF_EVAL), suggesting the execution of obfuscated code. The extracted JavaScript is too obfuscated to determine its precise function, but the presence of eval() strongly implies it attempts to download and execute a second-stage payload. This is supported by the 'Suspicious extracted artifact' heuristic firing.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var w = 4;
eval(this.title);
)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off00000102.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x102 114 bytes
SHA-256: a14e2269e6a6c7a62bb8d165d5e6255d663b917ac7ea88b636419c9d12d38208
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.