Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f98b68ec1155d70…

MALICIOUS

PDF

645 B First seen: 2026-05-10
MD5: 1766cfe62e0d98ea3702061a8df1b111 SHA-1: 53991dc25bed1df6dd994145cd3d7e7293f7e957 SHA-256: 2f98b68ec1155d705d5f53864a764faa3a680fe425e3c4996c0eb3731ac05b38
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript with an eval() call, indicating an attempt to execute arbitrary code. The JavaScript is obfuscated, making its exact function difficult to determine, but the presence of eval() strongly suggests a malicious intent, likely to download and execute a second-stage payload. The heuristics indicate suspicious JavaScript and an eval() call, supporting this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function testCallee(){var a = 'b'; app.alert('AAA');eval(arguments.callee);}
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js pdf-javascript-stream PDF /JS object 6 at offset 0x12D 78 bytes
SHA-256: 08806aded1c24fb4dc2ae48ca0f1b74b6c5e069ed852f75281e11940718c3f95
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function testCallee(){var a = 'b'; app.alert('AAA');eval(arguments.callee);}
javascript_obj0006_001.js pdf-javascript-stream PDF /JS object 6 at offset 0x155 304 bytes
SHA-256: 8c18e7e66b5c134e10be5263de5c676125ccc86c4440e564879249451cb54ff0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function testCallee(){var a = 'b'; app.alert('AAA');eval(arguments.callee);}


endstream
endobj
xref
0 7
0000000000 65535 f
0000000017 00000 n
0000000093 00000 n
0000000134 00000 n
0000000184 00000 n
0000000248 00000 n
0000000301 00000 n
trailer<</Size 7/Root 1 0 R>>
startxref
440
%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.