Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc1422fe91e1031a…

MALICIOUS

PDF

3.9 KB First seen: 2026-05-04
MD5: 120a64cf44176af283ba0578385c59fb SHA-1: 3c3515a12946ccb6922f44994f37a6f66a1cba90 SHA-256: bc1422fe91e1031a13bf59312ce372304a038889f7ba434d5aea3cd3a6065532
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and an embedded file named 'Kt.doc'. The JavaScript action is configured to export the embedded data object, which is the 'Kt.doc' file. This suggests the PDF is a lure to trick the user into opening a malicious document, likely for further exploitation. The ML classifier strongly indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER
    PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Related samples 2

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
Kt.doc pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x388 16924 bytes
SHA-256: ce30aacf6c429378c51e3d4cae4b3791dd8d589837372b9bfee048e27fb0a1ae
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
javascript_obj0009_000.js pdf-javascript-stream PDF /JS object 9 at offset 0xDFE 55 bytes
SHA-256: bbd15febebb71a96965ae92c9c3f15c6865b95ee7dfc9b3f84dd914b979b73e4
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "Kt.doc", nLaunch: 2 });
javascript_obj0009_001.js pdf-javascript-stream PDF /JS object 9 at offset 0xDFE 53 bytes
SHA-256: 543a9a9d8ae5543329d0cf0dac6ad28f61b6776cf608cc5ebcab83ba81c3fdaf
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "Kt.doc", nLaunch: 2 }
combined_document_js_000.js deobfuscated-js combined document JavaScript streams at offset 0xDFE 109 bytes
SHA-256: 6fcbe111b218e8a56097837060ed85f6e571aecce582f36b558652c7d0198f83
Preview script
First 1,000 lines of the extracted script
this.exportDataObject({ cName: "Kt.doc", nLaunch: 2 });
this.exportDataObject({ cName: "Kt.doc", nLaunch: 2 }

Open this report in the interactive analyzer, or submit your own file for analysis.