Malicious PDF — malware analysis report

Static analysis result for SHA-256 38851573fd1731b1…

MALICIOUS

PDF

22.8 KB First seen: 2026-05-13
MD5: 6762fa33ded362baed0d8111ff9d0e27 SHA-1: e490e88238377d54a12bc36c6d7f5a30fb1a47d7 SHA-256: 38851573fd1731b1bd94a38e35f5ea1bd1e4944821e08e27857d68a670c64105
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains JavaScript that uses the exportDataObject and nLaunch functions to automatically extract and launch an embedded file named 'gdvvvv.doc'. This is a common technique for delivering malicious payloads, often disguised as legitimate documents. The ML classifier strongly indicates maliciousness, supporting the dropper behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
gdvvvv.doc pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x545 112818 bytes
SHA-256: 07ba38ef7026f299d336cabe473596fbac5923b233ce43c38aba94b34e3ed501
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
javascript_obj0009_000.js pdf-javascript-stream PDF /JS object 9 at offset 0x59BA 59 bytes
SHA-256: 3f4773f17ca522104fa8260583adb098a935b0fa97539b6b6de0c883e8dc52c8
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "gdvvvv.doc", nLaunch: 2 });
javascript_obj0009_001.js pdf-javascript-stream PDF /JS object 9 at offset 0x59BA 57 bytes
SHA-256: 410d0b288c2ce8f013148bf8ceedcd98a8b44bbcb547acb1175409a5adb4d94b
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "gdvvvv.doc", nLaunch: 2 }
combined_document_js_000.js deobfuscated-js combined document JavaScript streams at offset 0x59BA 117 bytes
SHA-256: 13068231ae9d8677028f036353e206779e3d713ac9838fb24aa3de1086179018
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "gdvvvv.doc", nLaunch: 2 });
this.exportDataObject({ cName: "gdvvvv.doc", nLaunch: 2 }