PDF malware analysis — malicious · d4e965e7cecb9001

MALICIOUS

PDF

21.4 KB First seen: 2026-05-10

MD5: 8efdd6d8ad94d9d6dd8ad2171b63a646 SHA-1: 5f50f5eb00a8b15f22cf7ab14932ab59d1cd4ddb SHA-256: d4e965e7cecb9001677add80cffc8e4bd6b0a3ee37949f68a5ebc6ef392d2495

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_FROMCHARCODE heuristic suggests obfuscation techniques are being used within the JavaScript. The extracted files, javascript_obj0031_022.js and javascript_obj0050_041.js, also show script obfuscation. The primary function of the embedded JavaScript appears to be downloading and executing a second-stage payload, though the exact URL or execution method could not be fully reconstructed due to obfuscation.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
/S /JavaScript
/JS (var nops='';for\(i=0;i<nnn2.length;i+=4\){c=0;for\(j=0;j<4;j++\)c=16*c+nnn2.charCodeAt\(i+j\)-65;nops+=String.fromCharCode\(c\);})
>>
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_001.js`	pdf-javascript-stream	PDF /JS object 10 at offset 0x362E	40 bytes
SHA-256: `f9ae5a33db8c7c1304813e927490f51369c0114e1b7e481ce8d3cc0f2f95f72e`
Preview script First 1,000 lines of the extracted script var ppp=new Array();var nnn=new Array();
`javascript_obj0011_002.js`	pdf-javascript-stream	PDF /JS object 11 at offset 0x3694	124 bytes
SHA-256: `e4fddecc219804f722891911d09333182fd69540e9fa0f04f77f1787a9039b59`
Preview script First 1,000 lines of the extracted script ppp[0]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0012_003.js`	pdf-javascript-stream	PDF /JS object 12 at offset 0x374A	86 bytes
SHA-256: `9ed4b4e932d4a137776f179cc08be16f647ce808bbe1d2d5cfe8520c6eaf10d5`
Preview script First 1,000 lines of the extracted script ppp[1]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0013_004.js`	pdf-javascript-stream	PDF /JS object 13 at offset 0x37DA	68 bytes
SHA-256: `6efcadc2a90e6abdec5b34135252f90e00b541dab3876dacbff84b8c9719a9a0`
Preview script First 1,000 lines of the extracted script ppp[2]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0014_005.js`	pdf-javascript-stream	PDF /JS object 14 at offset 0x3858	68 bytes
SHA-256: `f26f964477d4c8f3ac8263e2896c1b30117efc3b844e625dd998bcaae338d5e9`
Preview script First 1,000 lines of the extracted script ppp[3]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0015_006.js`	pdf-javascript-stream	PDF /JS object 15 at offset 0x38D6	126 bytes
SHA-256: `fb1d72a5210d0525dc130b20a512601e4643dba6c0c7b09f6419f616ffaa12aa`
Preview script First 1,000 lines of the extracted script ppp[4]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0016_007.js`	pdf-javascript-stream	PDF /JS object 16 at offset 0x398E	66 bytes
SHA-256: `9e5d0d28555914fa60a307ca55a02e3731367a0715b28a5ada9ff614f3bba7e9`
Preview script First 1,000 lines of the extracted script ppp[5]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0018_009.js`	pdf-javascript-stream	PDF /JS object 18 at offset 0x3A58	34 bytes
SHA-256: `535e46697307bf8464f1054aa594f4bf00fd7526136479c355ebb2c33bf41fcb`
Preview script First 1,000 lines of the extracted script ppp[7]='MMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0019_010.js`	pdf-javascript-stream	PDF /JS object 19 at offset 0x3AB4	34 bytes
SHA-256: `f36618a627e088b4a9d8123f6ccfc0e4d78c8ccd888f674a1ca3bdf9c9ce4001`
Preview script First 1,000 lines of the extracted script ppp[8]='MMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0020_011.js`	pdf-javascript-stream	PDF /JS object 20 at offset 0x3B10	60 bytes
SHA-256: `1cb7428e40334bc7db275d985115384344d64f38d76e9421a3ce6cb44b01c1c5`
Preview script First 1,000 lines of the extracted script ppp[9]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0022_013.js`	pdf-javascript-stream	PDF /JS object 22 at offset 0x3BD3	37 bytes
SHA-256: `a22e777785b244e0bf3706a7a73d92671b54519cf45639bfc2a8a8e9417341d0`
Preview script First 1,000 lines of the extracted script ppp[11]='MMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0023_014.js`	pdf-javascript-stream	PDF /JS object 23 at offset 0x3C32	49 bytes
SHA-256: `f84223a9169180fff69585a9dd4b9acf2f06e3626f2b3857ae875f4ba905415e`
Preview script First 1,000 lines of the extracted script ppp[12]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0024_015.js`	pdf-javascript-stream	PDF /JS object 24 at offset 0x3C9D	83 bytes
SHA-256: `0f8f025d8dd652a6935a8243f6a40e04d94823e346a7e3e23219a20037303d93`
Preview script First 1,000 lines of the extracted script ppp[13]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0025_016.js`	pdf-javascript-stream	PDF /JS object 25 at offset 0x3D2A	105 bytes
SHA-256: `f0545d7def7a0b26850125a0b47dc52125259b752f66180320722f484d747e4b`
Preview script First 1,000 lines of the extracted script ppp[14]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0026_017.js`	pdf-javascript-stream	PDF /JS object 26 at offset 0x3DCD	63 bytes
SHA-256: `755fca4308c22b55c12e1262aeb4ff70661e086328676b5476ed7e0174d93ace`
Preview script First 1,000 lines of the extracted script ppp[15]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0027_018.js`	pdf-javascript-stream	PDF /JS object 27 at offset 0x3E46	45 bytes
SHA-256: `5f33c020daa4de397524e72b76cf526a2012dd47dc5cceb0cbe3df25e38f497e`
Preview script First 1,000 lines of the extracted script ppp[16]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0028_019.js`	pdf-javascript-stream	PDF /JS object 28 at offset 0x3EAD	101 bytes
SHA-256: `d4f0e9ae960900dc2d53dee52fb07e050215daa44c650347b2316d8e09cdd89f`
Preview script First 1,000 lines of the extracted script ppp[17]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0030_021.js`	pdf-javascript-stream	PDF /JS object 30 at offset 0x3FA5	101 bytes
SHA-256: `7b174f06e00ec01a746b9d6ef45daa098b04961f0998d26902f41140bc07b7a9`
Preview script First 1,000 lines of the extracted script ppp[19]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0031_022.js`	pdf-javascript-stream	PDF /JS object 31 at offset 0x4044	131 bytes
SHA-256: `7195f823065d39b6338cdca4728e3efb02079febbc92f1acbc89c760c8c6e472`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script ppp[20]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0032_023.js`	pdf-javascript-stream	PDF /JS object 32 at offset 0x4101	115 bytes
SHA-256: `84d026686e631b2469651a0bc6b659c8fcfcf678367ccc5b8c2f12628024b821`
Preview script First 1,000 lines of the extracted script ppp[21]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0033_024.js`	pdf-javascript-stream	PDF /JS object 33 at offset 0x41AE	123 bytes
SHA-256: `5a7dddb7b75e011c8d63469e51eabbbb36962bcaa24433c1c49e90598d97b91a`
Preview script First 1,000 lines of the extracted script ppp[22]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0034_025.js`	pdf-javascript-stream	PDF /JS object 34 at offset 0x4263	89 bytes
SHA-256: `8eeb64f4418149fff36c7e8c2ee3eb498d673f76344967da7b06a44e9c328d18`
Preview script First 1,000 lines of the extracted script ppp[23]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0038_029.js`	pdf-javascript-stream	PDF /JS object 38 at offset 0x43EF	119 bytes
SHA-256: `cb02d54b69b46038f050d21484b59f4c0fd7fb9b5e87f814c6ea1bcb1e4506c1`
Preview script First 1,000 lines of the extracted script ppp[27]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0039_030.js`	pdf-javascript-stream	PDF /JS object 39 at offset 0x44A0	49 bytes
SHA-256: `688c515ebdb7cc8bb7bb796e36fab37e2156ba0b6d6ad856d22ff253737a40e7`
Preview script First 1,000 lines of the extracted script ppp[28]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0040_031.js`	pdf-javascript-stream	PDF /JS object 40 at offset 0x450B	73 bytes
SHA-256: `923858692b38434022fe205ae41b97d23f6fd8e583a9b05f485d1a82adba26f3`
Preview script First 1,000 lines of the extracted script ppp[29]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0041_032.js`	pdf-javascript-stream	PDF /JS object 41 at offset 0x458E	109 bytes
SHA-256: `8c430f37917ce85e9e1d00997f797828d39d2455222e962cf018b4415cf55dda`
Preview script First 1,000 lines of the extracted script ppp[30]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0042_033.js`	pdf-javascript-stream	PDF /JS object 42 at offset 0x4635	81 bytes
SHA-256: `c7eaf5d51b368e39c6fb1a47bd0a5b4a96791f2451b9e471799e82df8c24be78`
Preview script First 1,000 lines of the extracted script ppp[31]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0043_034.js`	pdf-javascript-stream	PDF /JS object 43 at offset 0x46C0	57 bytes
SHA-256: `c564ad2fdcf37b40d388b907301094e7c19137b1f4ad55a535c7e0effaa899a7`
Preview script First 1,000 lines of the extracted script ppp[32]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0044_035.js`	pdf-javascript-stream	PDF /JS object 44 at offset 0x4733	65 bytes
SHA-256: `c8946fa180b2a22e272e2a362f1fba8a688381de7b0fb6e7614ecd98ac53445f`
Preview script First 1,000 lines of the extracted script ppp[33]='MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM';
`javascript_obj0048_039.js`	pdf-javascript-stream	PDF /JS object 48 at offset 0x4889	49 bytes
SHA-256: `5919c0d1d84a5a746be9f27963881ad88d4190b52b00795a7bba41f91757774f`
Preview script First 1,000 lines of the extracted script var pay='';for (i=0;i<ppp.length;i++)pay+=ppp[i];
`javascript_obj0049_040.js`	pdf-javascript-stream	PDF /JS object 49 at offset 0x48F6	51 bytes
SHA-256: `9882b77792295f132527561d187f85c94b2cd973564768e464959f18c36b3adf`
Preview script First 1,000 lines of the extracted script var nnn2='';for (i=0;i<nnn.length;i++)nnn2+=nnn[i];
`javascript_obj0050_041.js`	pdf-javascript-stream	PDF /JS object 50 at offset 0x4965	121 bytes
SHA-256: `d0c51bf80c2b774fd7e3f148d01ffbc945e29725fa0df8312c7ee2e2af01f03e`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var nops='';for(i=0;i<nnn2.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+nnn2.charCodeAt(i+j)-65;nops+=String.fromCharCode(c);}

Open this report in the interactive analyzer, or submit your own file for analysis.