Malicious PDF — malware analysis report

Static analysis result for SHA-256 9eede2ed0c52e10a…

MALICIOUS

PDF

22.4 KB First seen: 2026-06-22
MD5: 36b05dce5943fffe05241c030a116ca4 SHA-1: a260ac8cf6d9c1f42e3e0fb3e01b4c9e3961b5ae SHA-256: 9eede2ed0c52e10a364e69f97759e469d0f65af8ae0ad34981cef0ce357bcd7e
116 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
gdvvvv.doc pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x307 112818 bytes
SHA-256: 07ba38ef7026f299d336cabe473596fbac5923b233ce43c38aba94b34e3ed501
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
javascript_obj0002_000.js pdf-javascript-stream PDF /JS object 2 at offset 0x5779 59 bytes
SHA-256: 3f4773f17ca522104fa8260583adb098a935b0fa97539b6b6de0c883e8dc52c8
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "gdvvvv.doc", nLaunch: 2 });