Malicious PDF — malware analysis report

Static analysis result for SHA-256 4db6480bf9d03ad9…

MALICIOUS

PDF

67.1 KB First seen: 2026-05-11
MD5: dcba2985a9685eafb616c93c5ff47e9c SHA-1: a949bcd7a003c9638fc4b4ddbd3bdcc2fe8dafc1 SHA-256: 4db6480bf9d03ad9177f7cfd5584aa95b36b0d71dd65a79ffeb353c765511d13
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript

The PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript stream, named 'javascript_obj0012_000.js', is obfuscated and likely responsible for downloading and executing a second-stage payload from the embedded URL 'http://www.bitstream.com'. The document body is unreadable, providing no further context.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x10A83 137 bytes
SHA-256: 3e4dc715894c395c375adc8b5081e2c6fc6b12c4c9ef4238d3fc6b4984d139c6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s='';
eva(s.split("").reverse().join(""));
font_00_sfnt_off0000035e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x35E 67284 bytes
SHA-256: 35b6962eeb9aa4a8acb1109b74102eb9d08ab437da4460a890e43cabdc8c59d3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)