PDF malware analysis — malicious · 42e708b9a229cc57

MALICIOUS

PDF

93.5 KB Created: ¢m003Ão>ÎÊQü°rbÁ×+Ç@½ First seen: 2026-05-08

MD5: 94cd45feca90d16cba75da455dfee45b SHA-1: 1fc15421995d659bb1925a5d017825ef991df190 SHA-256: 42e708b9a229cc57d23790eee3c1879069f8e4c9f18e2b81f59f1094f7ceffd4

152 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_ENCRYPTED_WITH_JS heuristic suggests that the JavaScript is used to obscure the actual payload, which is a common technique for malware delivery. No document body text was available for analysis, but the presence of hidden JavaScript points to a malicious intent, likely for phishing or to download further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 7

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.cadkas.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0026_000.js`	pdf-javascript-stream	PDF /JS object 26 at offset 0x99E7	42 bytes
SHA-256: `76e21958c55cd739dc2b69ddc0b41e5d5cf8ff3ddaccfc6393f1aec9622bde05`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script eval("eval(\""+getField("e").value+"\")");
`javascript_obj0032_000.js`	pdf-javascript-stream	PDF /JS object 32 at offset 0x2038	42 bytes
SHA-256: `4da4f73f6618057b400e95eb90896b30eebd559b412ef35499db75cc5f969607`
Preview script First 1,000 lines of the extracted script � ��< ˈ Ԙy.[�o��'I�<^L�X*�= y��

Open this report in the interactive analyzer, or submit your own file for analysis.