PDF malware analysis — malicious · 3719244547c2960a

MALICIOUS

PDF

21.3 KB First seen: 2026-05-10

MD5: 445b26dd04d51e0230418e0d0dc5ae45 SHA-1: 4500777e99b81bc2f345996b432d46ab43a18557 SHA-256: 3719244547c2960a6c3e4998f49b86be1f0be2aaab58265d8cefda585cf1589a

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, with one being particularly large and obfuscated. The presence of PDF_JAVASCRIPT and PDF_JS heuristics, along with the use of String.fromCharCode, indicates that the JavaScript is designed to execute malicious code. The primary function of this script appears to be downloading and executing a second-stage payload, although the exact URL or payload could not be resolved due to obfuscation. The extracted file name 'javascript_obj0042_033.js' further supports the presence of malicious script content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
/S /JavaScript
/JS (var nops='';for\(i=0;i<nnn2.length;i+=4\){c=0;for\(j=0;j<4;j++\)c=16*c+nnn2.charCodeAt\(i+j\)-65;nops+=String.fromCharCode\(c\);})
>>
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_001.js`	pdf-javascript-stream	PDF /JS object 10 at offset 0x35F6	40 bytes
SHA-256: `f9ae5a33db8c7c1304813e927490f51369c0114e1b7e481ce8d3cc0f2f95f72e`
Preview script First 1,000 lines of the extracted script var ppp=new Array();var nnn=new Array();
`javascript_obj0011_002.js`	pdf-javascript-stream	PDF /JS object 11 at offset 0x365C	32 bytes
SHA-256: `c528329fe8ee21db2f72a9013950ffb58910f305ecc5239c65dacda32976538c`
Preview script First 1,000 lines of the extracted script ppp[0]='MMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0012_003.js`	pdf-javascript-stream	PDF /JS object 12 at offset 0x36B6	114 bytes
SHA-256: `a7ab3e59963085f10a33a7aa2da31a09f9610dac8b636cc84e3d9c73fb51ac92`
Preview script First 1,000 lines of the extracted script ppp[1]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0013_004.js`	pdf-javascript-stream	PDF /JS object 13 at offset 0x3762	36 bytes
SHA-256: `81b7406985387943695f0430f6dc6e76f2f07a597c40957268ebfdb698db4b1b`
Preview script First 1,000 lines of the extracted script ppp[2]='MMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0014_005.js`	pdf-javascript-stream	PDF /JS object 14 at offset 0x37C0	76 bytes
SHA-256: `0108e7cd3a47722e1e0690c45b31cd5988faa0a5ebbf372dd235afe1e4d2bd77`
Preview script First 1,000 lines of the extracted script ppp[3]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0015_006.js`	pdf-javascript-stream	PDF /JS object 15 at offset 0x3846	32 bytes
SHA-256: `0c25e71b032fbcf4e9a3c6d2f777ebb0a32cfe7b9c62a4e39231ad1d4ca591bc`
Preview script First 1,000 lines of the extracted script ppp[4]='MMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0016_007.js`	pdf-javascript-stream	PDF /JS object 16 at offset 0x38A0	60 bytes
SHA-256: `aec3e759bbfebd0f7738914706a947ab1ae85cac915280dc990a7b106222c673`
Preview script First 1,000 lines of the extracted script ppp[5]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0017_008.js`	pdf-javascript-stream	PDF /JS object 17 at offset 0x3916	52 bytes
SHA-256: `f3ee07333243e244c5d9067ba7d8a62be874205578ed4ec1c38105f3127acb61`
Preview script First 1,000 lines of the extracted script ppp[6]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0018_009.js`	pdf-javascript-stream	PDF /JS object 18 at offset 0x3984	116 bytes
SHA-256: `fc8c1d1c8ba5b5d7b01977d852244aa16bed0b4195dbaa65c0d119b078760f70`
Preview script First 1,000 lines of the extracted script ppp[7]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0019_010.js`	pdf-javascript-stream	PDF /JS object 19 at offset 0x3A32	54 bytes
SHA-256: `445595b1dff590818cb951a8d82af998f87500dfdd11fa4d83f3cd758cb79d71`
Preview script First 1,000 lines of the extracted script ppp[8]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0020_011.js`	pdf-javascript-stream	PDF /JS object 20 at offset 0x3AA2	116 bytes
SHA-256: `1ddda17ad316bc0713aac32cb55360366eb721abc88a0ee090f6b3eec04ace85`
Preview script First 1,000 lines of the extracted script ppp[9]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0023_014.js`	pdf-javascript-stream	PDF /JS object 23 at offset 0x3BEE	115 bytes
SHA-256: `88164f3f5e942a25e79fdc5fdea53e08edbe6e3fac6d3f5cbf2378ed5dccb31a`
Preview script First 1,000 lines of the extracted script ppp[12]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0024_015.js`	pdf-javascript-stream	PDF /JS object 24 at offset 0x3C9B	71 bytes
SHA-256: `23c16a6fd2e65c75fc4c1fa0f6ccd05a607364cda225a2b007e7c6a2c8f61c52`
Preview script First 1,000 lines of the extracted script ppp[13]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0025_016.js`	pdf-javascript-stream	PDF /JS object 25 at offset 0x3D1C	55 bytes
SHA-256: `849068f57428f1cf4e1fa23afcccc9dabc2102fd22786e6fee39bc4e5139851c`
Preview script First 1,000 lines of the extracted script ppp[14]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0027_018.js`	pdf-javascript-stream	PDF /JS object 27 at offset 0x3DD8	89 bytes
SHA-256: `75d605fbfebbe8e158bcfcb402dd305f2ef43734c919053f9be7b28e80f39474`
Preview script First 1,000 lines of the extracted script ppp[16]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0028_019.js`	pdf-javascript-stream	PDF /JS object 28 at offset 0x3E6B	61 bytes
SHA-256: `a68cdf8f81679b5afa2124655f03455764973e346d78fdc8fe2f31329ee6eed5`
Preview script First 1,000 lines of the extracted script ppp[17]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0030_021.js`	pdf-javascript-stream	PDF /JS object 30 at offset 0x3F2D	109 bytes
SHA-256: `5d1262938f725e5a7cec08cb219f9e05142b0cd126a17e7fa4ba1981af20fe2a`
Preview script First 1,000 lines of the extracted script ppp[19]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0031_022.js`	pdf-javascript-stream	PDF /JS object 31 at offset 0x3FD4	61 bytes
SHA-256: `255a38e4de72daa8c1a8ee463b688cd92edb34f403c90bf264d48105683a708c`
Preview script First 1,000 lines of the extracted script ppp[20]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0032_023.js`	pdf-javascript-stream	PDF /JS object 32 at offset 0x404B	53 bytes
SHA-256: `0aac8cdbe2305ca4d5a9fb445ca873388d5a569192c594f33cc19b8504b7009d`
Preview script First 1,000 lines of the extracted script ppp[21]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0033_024.js`	pdf-javascript-stream	PDF /JS object 33 at offset 0x40BA	93 bytes
SHA-256: `33802057d2a06460698b3882be7fdc15851d6e5e982f4dc6057859de57af875c`
Preview script First 1,000 lines of the extracted script ppp[22]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0034_025.js`	pdf-javascript-stream	PDF /JS object 34 at offset 0x4151	73 bytes
SHA-256: `e2f075fcd61e44a16dddab1685c3c4d0c2a672e3b6f19890ad6872bd093e1e64`
Preview script First 1,000 lines of the extracted script ppp[23]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0035_026.js`	pdf-javascript-stream	PDF /JS object 35 at offset 0x41D4	123 bytes
SHA-256: `7b7a423a31bc49e56784f32f496ccc421f6c0914e6e93562c98df46aa0782cb3`
Preview script First 1,000 lines of the extracted script ppp[24]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0036_027.js`	pdf-javascript-stream	PDF /JS object 36 at offset 0x4289	49 bytes
SHA-256: `2adcb4de1d78b0717132fe336db9b83111e14d548ea90c21ed26b2b747d37251`
Preview script First 1,000 lines of the extracted script ppp[25]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0037_028.js`	pdf-javascript-stream	PDF /JS object 37 at offset 0x42F4	63 bytes
SHA-256: `7990fea030f458aa0944cc177153eac5353407046c092911e418e31f6fc213a9`
Preview script First 1,000 lines of the extracted script ppp[26]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0038_029.js`	pdf-javascript-stream	PDF /JS object 38 at offset 0x436D	101 bytes
SHA-256: `c2855a6a826955eb51f117b4df2fa59adeb42fddeacd1e393988cc5c5620c88b`
Preview script First 1,000 lines of the extracted script ppp[27]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0040_031.js`	pdf-javascript-stream	PDF /JS object 40 at offset 0x445B	35 bytes
SHA-256: `83944ad0e7b0aee165de5f28eebdd02ba59d4670b6e7735dd548c521bfae2599`
Preview script First 1,000 lines of the extracted script ppp[29]='MMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0041_032.js`	pdf-javascript-stream	PDF /JS object 41 at offset 0x44B8	109 bytes
SHA-256: `8c430f37917ce85e9e1d00997f797828d39d2455222e962cf018b4415cf55dda`
Preview script First 1,000 lines of the extracted script ppp[30]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0042_033.js`	pdf-javascript-stream	PDF /JS object 42 at offset 0x455F	139 bytes
SHA-256: `25dede2233190b0b02c9114a512d0f0660b0ddaba54b129d2979bdff05e5a06c`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script ppp[31]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0043_034.js`	pdf-javascript-stream	PDF /JS object 43 at offset 0x4624	89 bytes
SHA-256: `6f0dc34565ae1d34a78baaa635e4645c8234fff4a639172d914fea6c2e2f0312`
Preview script First 1,000 lines of the extracted script ppp[32]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0044_035.js`	pdf-javascript-stream	PDF /JS object 44 at offset 0x46B7	115 bytes
SHA-256: `21be62cad391afe04239a90cfea1defa48e1c6bd9584a0600378d50e6e7326a2`
Preview script First 1,000 lines of the extracted script ppp[33]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0049_040.js`	pdf-javascript-stream	PDF /JS object 49 at offset 0x4896	49 bytes
SHA-256: `5919c0d1d84a5a746be9f27963881ad88d4190b52b00795a7bba41f91757774f`
Preview script First 1,000 lines of the extracted script var pay='';for (i=0;i<ppp.length;i++)pay+=ppp[i];
`javascript_obj0050_041.js`	pdf-javascript-stream	PDF /JS object 50 at offset 0x4903	51 bytes
SHA-256: `9882b77792295f132527561d187f85c94b2cd973564768e464959f18c36b3adf`
Preview script First 1,000 lines of the extracted script var nnn2='';for (i=0;i<nnn.length;i++)nnn2+=nnn[i];

Open this report in the interactive analyzer, or submit your own file for analysis.