Malicious PDF — malware analysis report

Static analysis result for SHA-256 30b61fe5a171e45b…

MALICIOUS

PDF

6.9 KB First seen: 2026-05-10
MD5: 27a83d990f79ddc37dce33b53ed263a8 SHA-1: 81d47884985b2f899b02e5b4f44644046ac5fff9 SHA-256: 30b61fe5a171e45b5287f65320c0aef15cd6d2dce9bf9d2dc9509e48eaafeb6a
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream utilizes the unescape() function, suggesting an attempt to decode and execute malicious code. While no specific malicious URLs or further script content were extracted, the presence of obfuscated JavaScript points towards a potential exploit or downloader. The benign URLs present are standard RDF and XAP namespaces and do not indicate malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9833

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function RandomVar8(RandomVar9){return unescape(RandomVar9.replace(/Zb7FaY4eDp/g,'%u'));}
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000071c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x71C 580 bytes
SHA-256: b856f4f9ff2074e74198c7f0de0786268390dfe032e306bea83e51af15570446

Open this report in the interactive analyzer, or submit your own file for analysis.