PDF malware analysis — malicious · 86712feaff3f99bf

MALICIOUS

PDF

950 B First seen: 2026-05-11

MD5: a796b1c1cf1e7bb1f4966f542a0c1c85 SHA-1: 8728cc8cdabc028d5463bc341bac1ca7253f4dd8 SHA-256: 86712feaff3f99bf6e914ee97e25370e26e7b1eac15d1eb2ad91c6d6faf05bc3

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript, flagged by multiple heuristics including PDF_JAVASCRIPT and PDF_JS_EXPLOIT_CLUSTER. The presence of an eval() call within the JavaScript stream indicates an attempt to dynamically execute code, likely to exploit a known PDF vulnerability for client execution. No specific IOCs like URLs or file paths were extracted from the script content.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
eval("app.alert('lolllle');")
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0x26D 329 bytes

Filename	Kind	Source	Size
`javascript_obj0012_001.js`	pdf-javascript-stream	PDF /JS object 12 at offset 0x26D	329 bytes
SHA-256: `d8b3cbfd4c0b298d9cfa4e3700f8f176232b25f98bb6230683c1ffc33b8e4545`
Preview script First 1,000 lines of the extracted script app.alert('baaaaa'); endstream endobj xref 0 7 0000000000 65535 f 0000000017 00000 n 0000000101 00000 n 0000000165 00000 n 0000000209 00000 n 0000000287 00000 n 0000000339 00000 n trailer << /Root 1 0 R /ID [<2B8AC9FAB69B320551A0B85B882985F7> <2B8AC9FAB69B320551A0B85B882985F7>] /Size 7 >> startxref 428 %%EOF

SHA-256: d8b3cbfd4c0b298d9cfa4e3700f8f176232b25f98bb6230683c1ffc33b8e4545

Preview script

First 1,000 lines of the extracted script

app.alert('baaaaa');
endstream
endobj
xref
0 7
0000000000 65535 f
0000000017 00000 n
0000000101 00000 n
0000000165 00000 n
0000000209 00000 n
0000000287 00000 n
0000000339 00000 n
trailer
<<
/Root 1 0 R
/ID [<2B8AC9FAB69B320551A0B85B882985F7> <2B8AC9FAB69B320551A0B85B882985F7>]
/Size 7
>>
startxref
428
%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.