Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8fc1dba4ecce4de…

MALICIOUS

PDF

47.3 KB Created: 2010-02-15 14:54:14 +03:00 Authoring application: [\!_@\$~] (via d54a439ba19be7fe2b18622f6e53587e) First seen: 2026-05-10
MD5: 638ffbb97720c5390cf205b3a9b157c4 SHA-1: 83ad8471dc24baf0debeacb2d55335247ea248ed SHA-256: f8fc1dba4ecce4de8e865c53f77a67bc44ab9f1275a1c13f9a223ece844c9cc3
82 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and streams. The presence of ASCIIHexDecode and ASCII85Decode filters, often used to obfuscate malicious content, further supports this. The embedded JavaScript is likely intended to exploit a vulnerability within the PDF reader to execute arbitrary code, potentially leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 5

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0024_000.js pdf-javascript-stream PDF /JS object 24 at offset 0xB699 118 bytes
SHA-256: 0799a08d11f765cd61b1ad902c9e6dc3ccf598c6f14e2e62cc0f383a3ecf6636
Preview script
First 1,000 lines of the extracted script
roVsnyjkh6 = roVsnyjkh6.replace(new RegExp(yk1Qe9CX4[t6fFtYEDC][vAhjqFkk], 'g'), '');yk1Qe9CX4[xZnkhJfp9](roVsnyjkh6);