PDF malware analysis — malicious · 7a70243c6eca1fc5

MALICIOUS

PDF

3.4 KB First seen: 2026-05-11

MD5: ba7268d4bca123c3c09fda73f7c5edc1 SHA-1: dc834a585b1373eefa8f85ac76a3bbf9933b6ee7 SHA-256: 7a70243c6eca1fc597f9c7874903a0b0c612703ec3ca42e7bfa0042d8f99f758

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains obfuscated JavaScript, indicated by the 'PDF_JAVASCRIPT' and 'PDF_JS_REPLACE_OBFUSCATED_CHARCODE_BUILDER' heuristics. The JavaScript is likely used to download and execute a second-stage payload. The 'PDF_FILTER_HEX' heuristic also suggests the presence of exploit indicators within the PDF structure.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 3

JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript rebuilds a builtin via replace() to run a char-code array critical PDF_JS_REPLACE_OBFUSCATED_CHARCODE_BUILDER

Decoded PDF JavaScript resolves a String builtin from a junked literal — e.g. String['eQvoaol3'.replace(/[3oQS5]/g,'')] yielding fromCharCode/eval — and feeds a large numeric char-code array through it to rebuild and execute the next stage. Dynamically reconstructing a builtin name by stripping junk characters has no benign purpose; paired with the char-code payload array it is an unambiguous obfuscated-JavaScript exploit dropper.
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes

Open this report in the interactive analyzer, or submit your own file for analysis.