PDF static analysis report

Static analysis result for SHA-256 416556f9de4d1b73…

SUSPICIOUS

PDF

78.3 KB Created: 2004-02-25 16:42:56 -05:00 Authoring application: Adobe Illustrator 9.0.1 (via Adobe PDF library 4.800) First seen: 2026-05-11
MD5: ed39c015565677a0beb43a66b3f28bd6 SHA-1: 089a8703e6258bd582ce09e1409b03c80c7bef0e SHA-256: 416556f9de4d1b73e40f1c6dbc300fdf3cb7ca158f6b22db3c8f766d76b13635
26 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.2045

Heuristics 4

  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text

Extracted artifacts 25

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0139_000.js pdf-javascript-stream PDF /JS object 139 at offset 0x1E36 145 bytes
SHA-256: d8833d79ca45c8ca9ece0ff2063a60b2c245b7bb9f3b52c74c971664b642db07
Preview script
First 1,000 lines of the extracted script
var fecha=this.getField("fecha");
var today=new Date();
fecha.defaultValue = formatDate(today, "dd/MM/yyyy")
fecha.value=fecha.defaultValue;
javascript_obj0112_001.js pdf-javascript-stream PDF /JS object 112 at offset 0xF656 88 bytes
SHA-256: 6f41a385b150f04a6757ebe5c48f6c7982616054ab7c86e10e179e699ea99bba
Preview script
First 1,000 lines of the extracted script
if (!checkStringOnlyNums(event.change))
{
    event.change="";
    event.rc=false;
}
javascript_obj0109_003.js pdf-javascript-stream PDF /JS object 109 at offset 0x10670 33 bytes
SHA-256: 57758ded0ac3700f786c45e29cca00842b712fb028ce95a4cd688d4f70c62fce
Preview script
First 1,000 lines of the extracted script
AFDate_KeystrokeEx("dd/mm/yyyy");
javascript_obj0108_004.js pdf-javascript-stream PDF /JS object 108 at offset 0x106BB 38 bytes
SHA-256: ae95d6581723cae0c2c1e3044a60f6c91e032264799b53449cd6269e6993d7bc
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(0, 0, 0, 0, "", true);
javascript_obj0107_005.js pdf-javascript-stream PDF /JS object 107 at offset 0x1070B 41 bytes
SHA-256: 617ef4da07d9bc9d4e06a2320fe0d4cbacd3d6c2cc82039cf4e79e7facf7545f
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(0, 0, 0, 0, "", true);
javascript_obj0106_006.js pdf-javascript-stream PDF /JS object 106 at offset 0x1075E 89 bytes
SHA-256: cd7085eaf347490345794d135ad6387c797c9a8d416b3fcbf1c10ae869f7c246
Preview script
First 1,000 lines of the extracted script
/*if (!checkStringOnlyChars(event.change))
{
    event.change="";
    event.rc=false;
}*/
javascript_obj0105_007.js pdf-javascript-stream PDF /JS object 105 at offset 0x107E7 38 bytes
SHA-256: 729ca6264168a99bb97c0658554d5b34491e18c8ba65c8fc35d432391343ef33
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(2, 0, 0, 0, "", true);
javascript_obj0104_008.js pdf-javascript-stream PDF /JS object 104 at offset 0x10837 41 bytes
SHA-256: a011daa0ff2a361a79751d1cef42de9f50cfaaf7fc839fe5b5e485c7248b809d
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(2, 0, 0, 0, "", true);
javascript_obj0099_011.js pdf-javascript-stream PDF /JS object 99 at offset 0x11BF9 157 bytes
SHA-256: 358151527d44a20cbb3e806bba9d3b545f93cdb802a0574146d5a2ab9d4d1a8d
Preview script
First 1,000 lines of the extracted script
var otros=this.getField("otros")
if (event.value=="Otros (Por favor especificar a continuaci�n)")
    otros.readonly=false;
else
    otros.readonly=true;
javascript_obj0120_012.js pdf-javascript-stream PDF /JS object 120 at offset 0x11CF8 215 bytes
SHA-256: cf97633d7035d19004d07cb6d81c7741840c914bb00ad37fcf21b751c4e09cd9
Preview script
First 1,000 lines of the extracted script
if ((String(event.value).length!=0))
    if ((String(event.value).length>8) || (String(event.value).length<6))
    {
        app.alert("Debe ingresar un n�mero telef�nico v�lido.")
        event.rc=false;
    }
javascript_obj0118_013.js pdf-javascript-stream PDF /JS object 118 at offset 0x11EF4 38 bytes
SHA-256: d01aa0c07a077ec23f69b8fd9ccdaa6826882e0b2e7e446039ebdd1d983fffcc
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(0, 1, 0, 0, "", true);
javascript_obj0117_014.js pdf-javascript-stream PDF /JS object 117 at offset 0x11F44 41 bytes
SHA-256: 3e3d0e421d915769fa631911550fb2593579e6bb9a99fb9158381ac8e8f07fe2
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(0, 1, 0, 0, "", true);
javascript_obj0111_015.js pdf-javascript-stream PDF /JS object 111 at offset 0x11F97 89 bytes
SHA-256: 4338dbb4cc316e8aacad7227b13134d807c9b3ab7d8e6c229b1a5ed364d80679
Preview script
First 1,000 lines of the extracted script
if (!checkStringOnlyChars(event.change))
{
    event.change="";
    event.rc=false;
}
javascript_obj0114_016.js pdf-javascript-stream PDF /JS object 114 at offset 0x121F7 51 bytes
SHA-256: f015573565264e0ab57b71655084a5959c27e67221812cad59b4e5fbb31d4cea
Preview script
First 1,000 lines of the extracted script
if (!checkDate(event.value))
    event.rc=false;
javascript_obj0015_017.js pdf-javascript-stream PDF /JS object 15 at offset 0x123E3 85 bytes
SHA-256: bc2ae8ada541508136f4e743b670c74e84e6426817d85b0b88b60cd5b51ae255
Preview script
First 1,000 lines of the extracted script
function addZero(vNumber)
{
    return ((vNumber < 10) ? "0" : "") + vNumber ;
}
javascript_obj0017_018.js pdf-javascript-stream PDF /JS object 17 at offset 0x12499 254 bytes
SHA-256: f2f2aeeb940c9f4cbbb63278623486d12b67603c7e94534028fd8a7ccdce135b
Preview script
First 1,000 lines of the extracted script
function checkStringOnlyChars(value)
{
    var checkStr="<>,;.:_��\\1234567890!\"�$%&/()=?��|@#��~[]{}�+`�;^*Ǩ";
    for (i=0; i<value.length; i++)
        if (checkStr.indexOf(value.substr(i,1)) >= 0)
            return false;
    return true;
}
javascript_obj0018_019.js pdf-javascript-stream PDF /JS object 18 at offset 0x125DD 212 bytes
SHA-256: 15738823d46d0031d83fc529b587b8d4f5db5161eb15e16a707a38a951da0c8f
Preview script
First 1,000 lines of the extracted script
function checkStringOnlyNums(value)
{
    var checkStr="0123456789";
    for (i=0; i<value.length; i++)
        if (!(checkStr.indexOf(value.substr(i,1)) >= 0))
            return false;
    return true;
}
javascript_obj0021_020.js pdf-javascript-stream PDF /JS object 21 at offset 0x1274A 110 bytes
SHA-256: fc0817086763f826fc86ffa7705027f476292243ee0bd9c4b85bcbfaa535b845
Preview script
First 1,000 lines of the extracted script
function swapOtraMoneda(bVisible)
{
    var omon = this.getField("Omon");
    omon.readonly=(!bVisible);
}
javascript_obj0022_021.js pdf-javascript-stream PDF /JS object 22 at offset 0x127ED 505 bytes
SHA-256: fb1653ee89cbc60dd08f6ed768f4f885fc93f9d2b3e6b07b728b6028dd9960d6
Preview script
First 1,000 lines of the extracted script
function stringToDate(DateValue)
{
    var firstSlashPos=DateValue.indexOf("/");
    var lastSlashPos=DateValue.lastIndexOf("/");
    year=0;
    month=0;
    day=0;
    year = DateValue.substr(lastSlashPos+1,DateValue.length - lastSlashPos);
    month = DateValue.substr(firstSlashPos+1,lastSlashPos-firstSlashPos-1);
    day = DateValue.substr(0,firstSlashPos);
    fechaFormat=new Date();
    fechaFormat.setFullYear(year);
    fechaFormat.setMonth(month-1,day);
    return fechaFormat;
}
javascript_obj0023_022.js pdf-javascript-stream PDF /JS object 23 at offset 0x12914 816 bytes
SHA-256: 175b1e9fce8c29f08a8d2d1611183c1e54d0f7f389620cdcab15b14cec658e0e
Preview script
First 1,000 lines of the extracted script
function formatDate(vDate, vFormat)
{ 
    var vDay                      = addZero(vDate.getDate()); 
    var vMonth            = addZero(vDate.getMonth()+1); 
    var vYearLong         = addZero(vDate.getFullYear()); 
    var vYearShort        = addZero(vDate.getFullYear().toString().substring(3,4)); 
    var vYear             = (vFormat.indexOf("yyyy")>-1?vYearLong:vYearShort) 
    var vHour             = addZero(vDate.getHours()); 
    var vMinute           = addZero(vDate.getMinutes()); 
    var vSecond           = addZero(vDate.getSeconds()); 
    var vDateString       = vFormat.replace(/dd/g, vDay).replace(/MM/g, vMonth).replace(/y{1,4}/g, vYear) 
    vDateString           = vDateString.replace(/hh/g, vHour).replace(/mm/g, vMinute).replace(/ss/g, vSecond) 
    return vDateString 
}
javascript_obj0024_023.js pdf-javascript-stream PDF /JS object 24 at offset 0x12A85 1611 bytes
SHA-256: a3f6129a77fdedbcdda28dd0f9b659c9d2cfdc2f548787f7b6147a0619c9d144
Preview script
First 1,000 lines of the extracted script
function checkDate(DateValue)
{
	if (DateValue=="")
		return true;
	var checkstr = "0123456789";
	var DateTemp = "";
	var seperator = "/";
	var day=0;
	var month=0;
	var year=0;
	var leap = 0;
	var err = 0;
	var i;
	var strErr="La fecha es incorrecta. Por favor, verifique que la fecha exista. La fecha debe estar de acuerdo al formato dd/mm/aaaa";
	err = 0;
	var firstSlashPos=DateValue.indexOf("/");
	var lastSlashPos=DateValue.lastIndexOf("/");
	if (firstSlashPos==lastSlashPos)
	{
		app.alert(strErr);
		return false;
	}
	year = DateValue.substr(lastSlashPos+1,DateValue.length - lastSlashPos)
	if (year == 0)
	{
		err = 20;
	}
	month = DateValue.substr(firstSlashPos+1,lastSlashPos-firstSlashPos-1);
	if ((month < 1) || (month > 12))
	{
		err = 21;
	}
	day = DateValue.substr(0,firstSlashPos);
	if ((day < 1) || (day >31))
	{
		err = 22;
	}
	if ((year % 4 == 0) || (year % 100 == 0) || (year % 400 == 0))
	{
		leap = 1;
	}
	if ((month == 2) && (leap == 1) && (day > 29))
	{
		err = 23;
	}
	if ((month == 2) && (leap != 1) && (day > 28))
	{
		err = 24;
	}
	if ((day > 31) && ((month == "01") || (month == "03") || (month == "05") || (month == "07") || (month == "08") || (month == "10") || (month == "12")))
	{
		err = 25;
	}
	if ((day > 30) && ((month == "04") || (month == "06") || (month == "09") || (month == "11")))
	{
		err = 26;
	}
	if ((day == 0) && (month == 0) && (year == 00))
	{
		err = 27;
		day = "";
		month = "";
		year = "";
		seperator = "";
	}
	if (err != 0)
	{
		app.alert(strErr);
		return false;
	}
	return true;
}
javascript_obj0096_024.js pdf-javascript-stream PDF /JS object 96 at offset 0x11E13 261 bytes
SHA-256: b5d347d2c15011c0ecbc96badd6480f07d1979a89d44c832d5791643308eb044
Preview script
First 1,000 lines of the extracted script
if (event.value!="")
{
    var lpszValor;
    var iPos;
    lpszValor=String(event.value);
    iPos=((lpszValor.length-4)<0)?0:lpszValor.length-4;
    event.value=util.printf("%s-%s", String(lpszValor.substr(0,iPos)), String(lpszValor.substr(iPos,4)));
}
font_00_cff_off0000341d.bin pdf-font-stream PDF embedded font (cff) at offset 0x341D 2592 bytes
SHA-256: 8af77a8120cad34282369b63df8e587550ab5f9a7388557d88ae6eac7ec25966
font_01_cff_off00004010.bin pdf-font-stream PDF embedded font (cff) at offset 0x4010 8372 bytes
SHA-256: 09b9abfd9d19d0c7f25e01d9891fb871c08832b73a05d2b0e88c7ede9b551b40
font_02_cff_off00005be6.bin pdf-font-stream PDF embedded font (cff) at offset 0x5BE6 2414 bytes
SHA-256: 2606917f60bdf282f51b28ecdc15ec546c2bbf475a0d6ab4afd7e954a1345d3f