Malicious PDF — malware analysis report

Static analysis result for SHA-256 90ffbcbf89e587ef…

MALICIOUS

PDF

170.7 KB First seen: 2026-05-09
MD5: f508dd8b287ce8dac2a5780c539e1456 SHA-1: a024224fd81fd0a372c24a40ae7f7687898824b0 SHA-256: 90ffbcbf89e587efa3e4c95528525880d05fa042c6a52ccd6064a9b4482c440d
120 Risk Score

🔏 Digital signature Signed

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of an unescape() call within the JavaScript stream suggests obfuscation, a common technique for hiding malicious code. While no specific malicious URLs or scripts were directly extracted and reconstructed, the overall structure points to an attempt to execute arbitrary code. The heuristics suggest the JavaScript is likely intended to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0010

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
              if (vend == -1) vend = clen;
                return unescape(dcookie.substring(vbegin, vend));
                }
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/In PDF document text
    • https://www.verisign.com/repository/CPS��In PDF document text
    • https://www.verisign.comIn PDF document text
    • https://www.verisign.com/repository/verisignlogo.gif0��In PDF document text
    • https://www.verisign.com/CPS0bIn PDF document text
    • http://www.microsoft.com/typographyIn PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00002f5a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F5A 547 bytes
SHA-256: 6e7bd58e8acd6d57c03edbdfcc4791cc825eb96fd746381f6f6e6f058abe9dc2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_042_off0000fbcc.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFBCC 11308 bytes
SHA-256: 463474d013ca32bddf94e7e521f7c517511b092eb77b7a53855ac54d90fbbfbe
stream_048_off00016e9d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16E9D 50374 bytes
SHA-256: 02c0768901e0feb87f516ab2b4a9a91b8d06fef4669a7dd3df83a875d30d8d08
objstm_0724_00.bin pdf-objstm-decoded PDF /ObjStm 724 0 obj (inflated) 5560 bytes
SHA-256: 21d24315fc3aff4b01979bf0d0630e0d6957872b8eeec0369fb3e22a9d7df3f8
objstm_0156_00.bin pdf-objstm-decoded PDF /ObjStm 156 0 obj (inflated) 19817 bytes
SHA-256: f6a01c8d8d4a7609d0a9f10dd903c4fe370fb726b0b74f59c65ff8a0b22c3486
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
objstm_0157_00.bin pdf-objstm-decoded PDF /ObjStm 157 0 obj (inflated) 9111 bytes
SHA-256: b9db8a1079e2fbda03f7c74813a8b042484601580c0db7e9f5a97248886b1c6d

Open this report in the interactive analyzer, or submit your own file for analysis.