PDF malware analysis — malicious · 3a84c066b15ef585

MALICIOUS

PDF

477.4 KB Created: 2000-11-09 15:39:24 UTC Authoring application: PDF-XChange Viewer [Version: 2.0 (Build 48.0) (Mar 2 2010; 21:26:42)] First seen: 2026-05-10

MD5: 76e6b85ef8286cb900608f6f6711b4ce SHA-1: d89c9bf8d8e5dd0acf0cfe0717de595e8b43484f SHA-256: 3a84c066b15ef5859c60bbcaec44b493b326d817981492c2d41303cdca3ed28e

72 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains multiple embedded JavaScript streams and triggers associated with form buttons and XFA forms. The presence of PDF_JAVASCRIPT and PDF_JS heuristics, along with the unknown reputation of the XFA schema URL, strongly suggests an attempt to execute malicious JavaScript. This script is likely designed to download and execute a secondary payload, a common technique for initial access.

Machine Learning

Nyx PDF Classifier malicious score 0.8145

Heuristics 6

JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://policyworks.gov In PDF document text
- http://policy)TjReferenced by PDF JavaScript
- http://www.w3.org/1999/xhtmlIn PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- https://www.verisign.com/repository/RPA0In PDF document text
- https://www.verisign.com/repository/CPS��In PDF document text
- https://www.verisign.comIn PDF document text
- https://www.verisign.com/repository/verisignlogo.gif0�In PDF document text
- https://www.verisign.com/CPSIn PDF document text
- https://www.verisign.com/repository/CPSIn PDF document text
- http://www.microsoft.com/truetype/0In PDF document text

Extracted artifacts 24

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0171_000.js`	pdf-javascript-stream	PDF /JS object 171 at offset 0x12E0F	74 bytes
SHA-256: `38ccb4d7f05fa9595ac2ef8b06d73686a432e5420d8ca4545c18b169faba434c`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("Matl OH Rate %", "Matl OH Base $"));
`javascript_obj0172_001.js`	pdf-javascript-stream	PDF /JS object 172 at offset 0x12E8A	38 bytes
SHA-256: `7c4dd28c53c2b7393848eb74d5a6380f39f8138fb652c6c1ec9269410e833b31`
Preview script First 1,000 lines of the extracted script AFNumber_Format(2, 0, 3, 0, "", true);
`javascript_obj0173_002.js`	pdf-javascript-stream	PDF /JS object 173 at offset 0x12EDF	41 bytes
SHA-256: `3c43d3a6c5aa8c8cec3b9ce00c6c3c43eb7f0b24d16f6054b313fbc804cbbcb5`
Preview script First 1,000 lines of the extracted script AFNumber_Keystroke(2, 0, 3, 0, "", true);
`javascript_obj0179_003.js`	pdf-javascript-stream	PDF /JS object 179 at offset 0x132AD	66 bytes
SHA-256: `95e62aaa44e5d21cd3427c74577cf2d42131189eee2ba4dbf3c7f25018e8990a`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("OH Rate 2", "Base Rate 2"));
`javascript_obj0183_004.js`	pdf-javascript-stream	PDF /JS object 183 at offset 0x1351B	66 bytes
SHA-256: `98de6b3aaf201596c9f81dbfb221037a789b41c13f5a4cc36abae8802ef17334`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("OH Rate 1", "Base Rate 1"));
`javascript_obj0187_005.js`	pdf-javascript-stream	PDF /JS object 187 at offset 0x13789	66 bytes
SHA-256: `69fc0f207ff4ee6c9d6964a37851b6eea540d5cd06bde20cd98abd1f1853a712`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("Est Hrs 2", "Hrly Rate 2"));
`javascript_obj0193_006.js`	pdf-javascript-stream	PDF /JS object 193 at offset 0x13B0B	70 bytes
SHA-256: `8f1fb9a61e76a902115a9519357109c30348adf2e0a7aa1ab9cd2dcf6fd80ff1`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("4 Est Cost 1", "4 Est Cost 2"));
`javascript_obj0197_007.js`	pdf-javascript-stream	PDF /JS object 197 at offset 0x13D7B	223 bytes
SHA-256: `59c84de5317f642992d88409fe76e928af5e094e87bd05b0901f4b7ba3288cee`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("Direct Matls Total", "Matl OH Total", "Dir Labor Total", "Labor OH Total", "5 Equip Total", "6 Travel Total", "7 Lo-Tier Subs Total", "8 Consultants Total", "9 Other Dir Costs Total"));
`javascript_obj0201_008.js`	pdf-javascript-stream	PDF /JS object 201 at offset 0x1408E	104 bytes
SHA-256: `75c3c7b7d13e7a4763c062664ac1b2ef7b4bac78e23e661e9e2e3917b8761275`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("10 Total Price/OH", "11 Genl Admin Total", "12 Royalties Total"));
`javascript_obj0205_009.js`	pdf-javascript-stream	PDF /JS object 205 at offset 0x1432A	107 bytes
SHA-256: `c9cdd5b04644472a47f126fd83f72bd2a2a688541c0e72071694265189884db7`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("13 Total Price/Cost", "14 Profit/Fee Total", "15 Facilities Total"));
`javascript_obj0318_014.js`	pdf-javascript-stream	PDF /JS object 318 at offset 0x1839C	38 bytes
SHA-256: `729ca6264168a99bb97c0658554d5b34491e18c8ba65c8fc35d432391343ef33`
Preview script First 1,000 lines of the extracted script AFNumber_Format(2, 0, 0, 0, "", true);
`javascript_obj0319_015.js`	pdf-javascript-stream	PDF /JS object 319 at offset 0x183F1	41 bytes
SHA-256: `a011daa0ff2a361a79751d1cef42de9f50cfaaf7fc839fe5b5e485c7248b809d`
Preview script First 1,000 lines of the extracted script AFNumber_Keystroke(2, 0, 0, 0, "", true);
`javascript_obj0379_018.js`	pdf-javascript-stream	PDF /JS object 379 at offset 0x1BF18	70 bytes
SHA-256: `291cae8d78a6d33f8ca09af74fa9063ddfbbd3afb2fa9ddda5f9075783ef9976`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("1 Est Cost 1", "1 Est Cost 2"));
`javascript_obj0384_019.js`	pdf-javascript-stream	PDF /JS object 384 at offset 0x1C347	66 bytes
SHA-256: `8effecd4ad5c30e137550f7dd1f774b46a9b3dcfb3daafc83bab51a8776709d2`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("Est Hrs 1", "Hrly Rate 1"));
`javascript_obj0388_020.js`	pdf-javascript-stream	PDF /JS object 388 at offset 0x1C5BB	66 bytes
SHA-256: `57e3e3db5dc5b572e3db04fca1834e7fc0d04c7b5386097b70f3e77b310f2b19`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("Est Hrs 3", "Hrly Rate 3"));
`javascript_obj0392_021.js`	pdf-javascript-stream	PDF /JS object 392 at offset 0x1C829	80 bytes
SHA-256: `4c55b47f88f5fcf2ca56aea8d196084af573ea5c5485b549df6aab8be6a13d72`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("Est Cost 1", "Est Cost 2", "Est Cost 3"));
`stream_093_off000246f7.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x246F7	39048 bytes
SHA-256: `ad58148a835464b8ea40b7e831878a29ce9d710691677795fae28cf44894e55d`
`stream_094_off0002a60a.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x2A60A	38796 bytes
SHA-256: `f1e98c80678b402a3800200b0f2955a69fd3d93de38adb68184ad1608d0e105d`
`stream_095_off00030446.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x30446	38380 bytes
SHA-256: `269e7d5444b7bdcc282bf0530ebbe7ebf7b14e85334d0e304b9ad389d66ff391`
`stream_113_off00061054.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x61054	89640 bytes
SHA-256: `af791d539c47f0308f39cf0ec75fce3dda4404a317e3542bd4ad5f6457abbc04`
`font_00_cff_off00036162.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x36162	354 bytes
SHA-256: `6d3bf7ef83b171a9f5e2ab5589c433f1548f47867227b72ff0b3c75d59c1dfb1`
`font_01_cff_off000362f1.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x362F1	372 bytes
SHA-256: `6ee783fffb2c92254e8a22cb91f44d399b6913609d123e5e9e4589c7dc677be3`
`font_02_sfnt_off000370e2.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x370E2	16256 bytes
SHA-256: `dc71de5809c40de45cfe64e801de32bf78465e826ab4611f6afe5d568216f058`
`font_03_sfnt_off00054d9b.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x54D9B	20352 bytes
SHA-256: `2f4f5f27d2a9d2f4ac1190938d64e787435d2323ecb062834188079c997a10f3`

Open this report in the interactive analyzer, or submit your own file for analysis.