Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0c775a215124c1a…

MALICIOUS

PDF

3.4 KB First seen: 2026-05-11
MD5: f03627131938693834926c4a9003418f SHA-1: 2fcaf973f0cbd47e6cc82869add9f541e9738f11 SHA-256: e0c775a215124c1ac95266c226f9e3c45b603d8f196f3f2a20b41bd4bd8ff563
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains a JavaScript action and uses ASCIIHexDecode filters, indicating an attempt to obfuscate malicious content. The ML classifier strongly flags this PDF as malicious. The presence of JavaScript suggests the intent to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript rebuilds a builtin via replace() to run a char-code array critical PDF_JS_REPLACE_OBFUSCATED_CHARCODE_BUILDER
    Decoded PDF JavaScript resolves a String builtin from a junked literal — e.g. String['eQvoaol3'.replace(/[3oQS5]/g,'')] yielding fromCharCode/eval — and feeds a large numeric char-code array through it to rebuild and execute the next stage. Dynamically reconstructing a builtin name by stripping junk characters has no benign purpose; paired with the char-code payload array it is an unambiguous obfuscated-JavaScript exploit dropper.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes