PDF malware analysis — malicious · 39e86112d2c135f4

MALICIOUS

PDF

2.07 MB Created: hk$´+½»y&eqû Authoring application: AÂ15Ot©0»Þç$Çß1a|+ÞÐ?¬ð¼NTYJ6 ìH ;Ä Ú úHu(ÍÛ£vYUÒ¼k<¦B,ª.ËPàìÌ¸½A0£¶~áJá0f§ôÏJ/ÄÉ7¨F/>Tk] xÕYXUd¨ÄÑ¶³ (via 0b327.<sQ300) First seen: 2026-02-18

MD5: 911f640025918e201d46fb69c45a5f3e SHA-1: 44b580a7659fd6103db66cd0d3e8bf223210439b SHA-256: 39e86112d2c135f42efca746822803e7120e9ac5f3c6a3b82a7664bdb24cf6b8

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file is encrypted and contains JavaScript, as indicated by the PDF_ENCRYPTED_WITH_JS heuristic. This suggests the document is designed to conceal its malicious payload from static analysis. The high number of streams (PDF_MANY_STREAMS) further points to obfuscation techniques. The combination of encryption and JavaScript points to a likely delivery mechanism for a secondary stage, possibly involving a downloader or exploit.

Machine Learning

Nyx PDF Classifier clean score 0.0027

Heuristics 2

Encrypted PDF carries /js — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/js). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
Unusually high stream count medium PDF_MANY_STREAMS

PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation

Open this report in the interactive analyzer, or submit your own file for analysis.