Malicious PDF — malware analysis report

Static analysis result for SHA-256 53efc25251de90d4…

MALICIOUS

PDF

9.9 KB First seen: 2026-05-10
MD5: 56a0f46f8c747449e4ed755f55e90995 SHA-1: f4cf42e165ef09900aae46026d4d5cc9a3a86d0d SHA-256: 53efc25251de90d4f0dad8bd999acd5d812a7a68c5e6b2cabf079178d2279b5e
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the JavaScript is obfuscated and uses eval() to execute code. The extracted JavaScript stream (stream_002_off00000329.js) is the primary artifact. The likely intent is to download and execute a second-stage payload, although the exact URL or payload is not directly visible due to obfuscation. The benign URLs present are standard PDF metadata namespaces and do not indicate malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5970

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    eval(/*fGhkjkDFhkhsfd <FDSJHFhkjkjSDFkj> FDKLFJHklfkldshfSLDf*/apple.replace(/v5Tr3zGrQ/igm,'').replace(/E4g5Ba6YfFzN/igm,'')/*fGhkjkDFhkhsfd <FDSJHFhkjkjSDFkj> FDKLFJHklfkldshfSLDf*/);/*fGhkjkDFhkhsfd <FDSJHFhkjkjSDFkj> FDKLFJHklfkldshfSLDf*/
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000329.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x329 54688 bytes
SHA-256: 53082ca9819d012e7bc00d5a9e46dd6c0521fbde4d06c59b3f33f31ba3bd4c05
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 335 of 336 identifiers look randomly generated (e.g. 'v5Tr3zGrQ1E4g5Ba6YfFzN2v5Tr3zGrQ9E4g5Ba6') — consistent with name-mangling obfuscation. Carved artifact contains 8 long base64-like blob(s).
objstm_0024_00.bin pdf-objstm-decoded PDF /ObjStm 24 0 obj (inflated) 331 bytes
SHA-256: a05ce5e3a7b12a335f524d4d4952cef5c14b919990ecb98fcf5499917cafd989

Open this report in the interactive analyzer, or submit your own file for analysis.