Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c0b11d2172affc1…

MALICIOUS

PDF

713 B First seen: 2026-05-10
MD5: 72d3694bf792de75bff36a6da7ed5559 SHA-1: 689d979ecd1dc3ac28e30a204107534cebc11eb4 SHA-256: 3c0b11d2172affc1c24031c1692f3c7036e33f67602d06a469f2f8d58057d7f9
66 Risk Score

Malware Insights

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_FILTER_HEX heuristic suggests the use of ASCIIHexDecode with exploit indicators. The embedded JavaScript is likely intended to be executed upon opening the PDF, potentially leading to further malicious activity. However, the script content is not available for detailed analysis, limiting the confidence in specific attack vectors.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js pdf-javascript-stream PDF /JS object 6 at offset 0x146 89 bytes
SHA-256: 0e7e86f608e48af85ce1513a2c93fe6ee24cb70fe415a04911aa5198478f62fe
Preview script
First 1,000 lines of the extracted script
app.alert({cMsg: 'OK', cTitle: 'Testing PDF JavaScript', nIcon: 3});

Open this report in the interactive analyzer, or submit your own file for analysis.