Malicious PDF — malware analysis report

Static analysis result for SHA-256 97c2facf0756db26…

MALICIOUS

PDF

31.6 KB First seen: 2026-05-08
MD5: 700f56e73670a7a1ca4415d26cd96318 SHA-1: 456916a1e4d86c1946376511e71e99c4dd88816c SHA-256: 97c2facf0756db268ccedde4688614e1a06bb1c8682a66ff33f6da8fa4bf5416
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_FILTER_HEX heuristic suggests the use of ASCIIHexDecode with exploit indicators. While the JavaScript content is minimal and obfuscated, its presence strongly suggests an attempt to execute arbitrary code. The specific intent of the script is unclear due to obfuscation, but it likely serves as a dropper or downloader for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 3

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0043_000.js pdf-javascript-stream PDF /JS object 43 at offset 0x68B2 45 bytes
SHA-256: fd5f245700c5c2da5cce9ccd537c4c61fe087a1c6e1ea584b4d8cd730e3511a4
Preview script
First 1,000 lines of the extracted script
var filuskoe = "kto poidet za klisnskim? ";

Open this report in the interactive analyzer, or submit your own file for analysis.