Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff686d6f34dbdb1b…

MALICIOUS

PDF

12.4 KB Created: 2010-02-12 22:33:28 Authoring application: Thcevzapedehna First seen: 2026-05-10
MD5: 6a5f739c921fd78f6e6bedce1cd6b6d7 SHA-1: ff0bff73f5c4aebad662fb5bac9e41ad1dcf2f21 SHA-256: ff686d6f34dbdb1b7a4e7331649be8e4738c477274b9bf86a53f10c12c045304
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic suggests the JavaScript is obfuscated, and a suspicious extracted artifact named 'javascript_obj0018_000.js' was found. This JavaScript is likely designed to download and execute a second-stage payload from a remote source, a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
        s=s.replace(/Z/g, '%');
 app.alert(unescape(s));
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0018_000.js pdf-javascript-stream PDF /JS object 18 at offset 0x2D6E 290 bytes
SHA-256: 3da2b6c1454d97f140e82da5968c0d6d868ed2e92bc0c016e9fdfc313697a027
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var s=''; 
	var l=this.getPageNumWords(0);
    for(var i=0; i < l; i++)
	{
		s+=this.getPageNthWord(0,i) + ' ';
	}

    s=s.replace(/Z/g, '%');
	app.alert(unescape(s));

//	app.alert(this.info.title);
//	var obj=this.doc;
//		for(var i in obj) s+=i+' = ' + obj[i]+"\n"; 
//	app.alert(s);

Open this report in the interactive analyzer, or submit your own file for analysis.