Malicious PDF — malware analysis report

Static analysis result for SHA-256 f98697ca4e31c976…

MALICIOUS

PDF

7.1 KB First seen: 2026-05-10
MD5: 6b07eaa9bb307c15887df15eacc54e78 SHA-1: 59f4036d8f258357d03bf8aa6f71d0ed4c499800 SHA-256: f98697ca4e31c9768523362d883c0c5c45c5dce6af99444509f26d1086511257
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file exhibits suspicious characteristics, including embedded JavaScript and an unescape() call, indicating potential malicious activity. The presence of decompressed streams suggests an attempt to hide or obfuscate malicious code. While no specific URLs were found to be malicious, the overall structure points towards a downloader or exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9825

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    RandomVar1=unescape(RandomVar1);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000327.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x327 2970 bytes
SHA-256: 1c542e8c9bdf8ec570318c247556245bec9f7f72958f6b0353005c32dea5a8c3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
stream_003_off0000083c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x83C 442 bytes
SHA-256: 5c59f71d906ada6624492fe605c9161289bc89debf4068346a438cfcc4ecee66

Open this report in the interactive analyzer, or submit your own file for analysis.