Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9e75145c753f9f9…

MALICIOUS

PDF

6.9 KB First seen: 2026-05-11
MD5: 95b434ba5a44afaf05f76cc472eabddf SHA-1: ff644bc3b2357f104ca746f48e0d80ea01533d6f SHA-256: d9e75145c753f9f98efd3948c91eca0de33638bc5e5f8a6aa4996cec523b52f9
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript

The PDF contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The JavaScript stream is further obfuscated by an unescape() call. While no specific malicious URLs or commands were extracted, the presence and obfuscation of JavaScript strongly suggest an attempt to execute arbitrary code, likely for malicious purposes such as downloading a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9833

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function RandomVar8(RandomVar9){return unescape(RandomVar9.replace(/Zb7FaY4eDp/g,'%u'));}
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000006e3.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6E3 756 bytes
SHA-256: 1391ca68596db7445ed9fda7459aeb67b730d9fcd16eb358a170c9081be82cb9

Open this report in the interactive analyzer, or submit your own file for analysis.