PDF malware analysis — malicious · e5e49c54091884c5

MALICIOUS

PDF

700 B Authoring application: malicious-pdf (via https://github.com/jonaslejon/malicious-pdf) First seen: 2026-06-09

MD5: 25c3594bad672b20f9c11f43fda39f57 SHA-1: e95d604f38b6dc3c4a2e0763db2279fa11b0aa5d SHA-256: e5e49c54091884c53f20a5da9913a52d2ee0cf72165435243d41523d95fefdc9

168 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9957

Heuristics 5

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT

A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://github.com/jonaslejon/malicious-pdf In PDF document text
- https://192.168.1.19/test46-obj-injectIn PDF document text

Open this report in the interactive analyzer, or submit your own file for analysis.