Malicious PDF — malware analysis report

Static analysis result for SHA-256 69bca4aa90dc5255…

MALICIOUS

PDF

1.08 MB First seen: 2026-05-09
MD5: c8c231abbe0ebbdf77b1ecc14972ecb8 SHA-1: 4bb3d0adb97751c8477dd0a5e6de9fea201a6b8a SHA-256: 69bca4aa90dc5255cb07cb19d738188c65ada4a20517119624e4514a56e33730
86 Risk Score

🔏 Digital signature Signed

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The PDF exhibits structural anomalies, specifically an encrypted document and duplicate object bodies. These characteristics suggest an attempt to hinder static analysis or conceal malicious content. Without readable document body text or scripts, the exact intent cannot be determined, but the obfuscation techniques are indicative of malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.1234

Heuristics 5

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype In PDF document text
    • http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xci/2.8/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.5/In PDF document text
    • http://www.w3.org/1999/xhtmlIn PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://www.adobe.com/es/products/acrobat/readstep2.htmlIn PDF document text
    • http://ns.adobe.com/data-description/In PDF document text
    • http://www.xfa.org/schema/xfa-connection-set/2.1/In PDF document text
    • http://www.xfa.org/schema/xfa-connection-set/2.4/In PDF document text
    • http://www.xfa.org/schema/xfa-locale-set/2.1/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
    • https://www.verisign.com/rpaIn PDF document text
    • http://ocsp.verisign.com/ocsp/status0In PDF document text
    • https://www.verisign.com/rpa0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0In PDF document text
    • http://www.microsoft.com/typographyIn PDF document text
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlIn PDF document text

Extracted artifacts 11

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0047_000.js pdf-javascript-stream PDF /JS object 47 at offset 0x115C7B 2795 bytes
SHA-256: 826c5622c798d67e5281cca7e05933dddc90ccdcb0a6177c9f7d06f11bef8f7f
Preview script
First 1,000 lines of the extracted script
if (typeof(this.ADBE) == "undefined")
   this.ADBE = new Object();
ADBE.LANGUAGE = "ENU";
ADBE.Viewer_string_Title = "Adobe Acrobat";
ADBE.Viewer_string_Update_Desc = "Adobe Interactive Forms Update";
ADBE.Viewer_string_Update_Reader_Desc = "Adobe Reader 7.0.5";
ADBE.Reader_string_Need_New_Version_Msg = "This PDF file requires a newer version of Adobe Reader. Press OK to download the latest version or see your system administrator.";
ADBE.Viewer_Form_string_Reader_601 = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator.";
ADBE.Viewer_Form_string_Reader_Older = "This PDF form requires a newer version of Adobe Reader. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK for online download information or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_601 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. Press OK to initiate an online update or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_60 = "This PDF form requires a newer version of Adobe Acrobat. Although the form may appear to work properly, some elements may function improperly or may not appear at all. For more information please copy the following URL (CTRL+C on Win, Command-C on Mac) and paste into your browser or see your system administrator.";
ADBE.Viewer_Form_string_Viewer_Older = "This PDF requires a newer version of Acrobat. Copy this URL and paste into your browser or see your sys admin.";
ADBE.Viewer_Form_string_Reader_5x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will open your browser to a web page where you can obtain the latest version.";
ADBE.Viewer_Form_string_Reader_6_7x = "This PDF form requires a newer version of Adobe Reader. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version.";
ADBE.Viewer_Form_string_Viewer = "This PDF form requires a newer version of Adobe Acrobat. Without a newer version, the form may be displayed, but it might not work properly. Some form elements might not be visible at all. If an internet connection is available, clicking OK will download and install the latest version.";
javascript_obj0048_001.js pdf-javascript-stream PDF /JS object 48 at offset 0x115F40 902 bytes
SHA-256: 91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090
Preview script
First 1,000 lines of the extracted script
if (typeof(ADBE.Reader_Value_Asked) == "undefined")
   ADBE.Reader_Value_Asked = false;
if (typeof(ADBE.Viewer_Value_Asked) == "undefined")
   ADBE.Viewer_Value_Asked = false;
if (typeof(ADBE.Reader_Need_Version) == "undefined" || ADBE.Reader_Need_Version < 8.0)
{
   ADBE.Reader_Need_Version = 8.0;
   ADBE.Reader_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&r=" + ADBE.Reader_Need_Version;
}
if (typeof(ADBE.Viewer_Need_Version) == "undefined" || ADBE.Viewer_Need_Version < 8.0)
{
   ADBE.Viewer_Need_Version = 8.0;
   ADBE.Viewer_Value_New_Version_URL = "http://cgi.adobe.com/special/acrobat/update";
   ADBE.SYSINFO = "?p=" + app.platform + "&v=" + app.viewerVersion + "&l=" + app.language + "&c=" + app.viewerType + "&r=" + ADBE.Viewer_Need_Version;
}
javascript_obj0049_002.js pdf-javascript-stream PDF /JS object 49 at offset 0x116097 1367 bytes
SHA-256: f8721569904600df33f536ddc9f4942717077f9d6c3c4253a8f4de5650fc6531
Preview script
First 1,000 lines of the extracted script
if (typeof(xfa_installed) == "undefined" || typeof(xfa_version) == "undefined" || xfa_version < 2.5)
{
   if (app.viewerType == "Reader")
   {
      if (ADBE.Reader_Value_Asked != true)
      {
         if (app.viewerVersion < 8.0)
         {
            if (app.alert(ADBE.Reader_string_Need_New_Version_Msg, 1, 1) == 1)
               this.getURL(ADBE.Reader_Value_New_Version_URL + ADBE.SYSINFO, false);
            ADBE.Reader_Value_Asked = true;
         }
         else if (app.alert(ADBE.Viewer_Form_string_Viewer, 1, 1) == 1)
            app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Desc});
      }
   }
   else
   {
      if (ADBE.Viewer_Value_Asked != true)
      {
         if (app.viewerVersion < 7.0)
            app.response({cQuestion: ADBE.Viewer_Form_string_Viewer_Older, cDefault: ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, cTitle: ADBE.Viewer_string_Title});
		   else if (app.viewerVersion < 8.0)
         {
            if (app.alert(ADBE.Viewer_Form_string_Viewer, 1, 1) == 1)
               app.launchURL(ADBE.Viewer_Value_New_Version_URL + ADBE.SYSINFO, true);
         }
         else if (app.alert(ADBE.Viewer_Form_string_Viewer, 1, 1) == 1)
            app.findComponent({cType:"Plugin", cName:"XFA", cDesc: ADBE.Viewer_string_Update_Desc});
         ADBE.Viewer_Value_Asked = true;
      }
   }
}
stream_001_off0000280e.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x280E 2527 bytes
SHA-256: 9c8f5120fe717bad61616791d8a77c204b0a541bd1f5b92c57e1e8f1b02825e6
stream_002_off00002c23.js decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2C23 1864934 bytes
SHA-256: 6390e1d405650b291b70974a9e1a0903a8479c8f1b666b8c4cd375d22d37ff78
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). 934 of 2009 identifiers look randomly generated (e.g. 'm0sOdzHE0SnxYqe14lJpoRZhrfD7ZRwi4B4IsWdt'); 6 string-concatenation chain(s) — consistent with name-mangling obfuscation. Carved artifact contains 3 long base64-like blob(s).
stream_003_off0007abdc.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7ABDC 8635 bytes
SHA-256: 000594546089f5a9bce6a009cf112dfb2a5fe218c241df29cb5c6f2a5031ae8e
stream_004_off0007b143.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7B143 293 bytes
SHA-256: dd4cb1365c7f1db716fd9bc2b3e5806213778969743d99d7576aa32d20d8a587
stream_005_off0007b245.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7B245 2456 bytes
SHA-256: c9464a86541ee4e3f1e05444e9672583398064969e93c14e127da48fd86714fb
stream_010_off0007c24b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7C24B 759 bytes
SHA-256: 5b279783cc475d00585d841dda9e3e20c9367c46827d9a68648e094ed53c9303
stream_013_off0007e1b2.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7E1B2 352198 bytes
SHA-256: 1e8564d3d89047875dccaa98279599de9d7ddf77240906041f1156ba8edf3315
stream_015_off000ce5dc.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCE5DC 367087 bytes
SHA-256: b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa

Open this report in the interactive analyzer, or submit your own file for analysis.