Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a53df6961128d71…

MALICIOUS

PDF

4.4 KB
MD5: ff0b2abed6870ac5a73f4b59bffba870 SHA-1: ae1dcb2f92c152d97c3d8b7f1f84e07ff6a6310c SHA-256: 7a53df6961128d7113069238cfb047b9b22972b7e08057c859950a0c7812e64d
258 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that leverages a prototype pollution vulnerability (CVE-2026-34621) to execute commands. The script attempts to use app.launchURL to run cmd.exe, indicating an intent to achieve arbitrary code execution. This is a common technique for delivering second-stage payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 8

  • Acrobat prototype-pollution PoC/exploit pattern — CVE-2026-34621 related critical CVE likely CVE_2026_3461_RELATED
    PDF JavaScript combines Acrobat prototype pollution targeting privileged state with an execution or sensitive file-read primitive. This matches the likely CVE-2026-34621 PoC/exploit cluster without asserting the exact internal Adobe API chain.
  • Prototype-pollution JavaScript pattern high CVE related PDF_JS_PROTOTYPE_POLLUTION
    PDF JavaScript mutates object prototypes while also referencing privileged or sensitive PDF APIs. This tracks a modern PDF exploit technique family without assigning an unverified CVE.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • app.launchURL with file/cmd/UNC target high PDF_FOXIT_LAUNCHURL
    PDF JavaScript invokes app.launchURL() with a file://, cmd:, or UNC target — Foxit and Adobe handle these schemes inconsistently and they have been used for code execution and NTLM credential theft. (matched in decompressed stream)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.example.com

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
3a0e5a60437c4ef48f69f145116164be25107c396cfb1620a870a215cca02d27		 pdf-javascript-stream PDF /JS object 6 at offset 0x15 3657 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 shell/COM execution token(s).
javascript_obj0006_001.js
de0b9eb0537d3dfd7797892a46043e093e29f1c2dcfb3f9105d8c2e07685fa21		 pdf-javascript-stream PDF /JS object 6 at offset 0x15 3798 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 shell/COM execution token(s).
combined_document_js_000.js
91e2d06509ba97cec52507204e10a71a7b0c681b6b3e864715c7423a295a0006		 deobfuscated-js combined document JavaScript streams at offset 0x15 7456 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 18 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.