Malicious PDF — malware analysis report

Static analysis result for SHA-256 8aae82dfe337761e…

MALICIOUS

PDF

570.5 KB Created: 2026-04-02 22:22:49 +00:00 Authoring application: Chromium (via Skia/PDF m145) First seen: 2026-04-07
MD5: 5d6cb2bf977bc91dfeb22dba13aa5a9d SHA-1: 382714d4fee0668bf257f7b5c028c18879354f37 SHA-256: 8aae82dfe337761e498f8509c66b54f7ffb59896606869739f22f6b8a07ab64c
64 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains heuristics indicating a generic JavaScript exploit stage recovery, suggesting it's designed to exploit a vulnerability. The presence of a direct IP address in a URI (104.249.10.197) strongly suggests a malicious intent to download a secondary payload. The recovered JavaScript artifacts, while heavily obfuscated, are consistent with exploit delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 4

  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Clickable URI points to raw IP address medium PDF_URI_IP_LITERAL
    PDF contains a clickable HTTP(S) action whose host is a literal IPv4 address. Legitimate documents normally link to named domains; raw-IP destinations are common in disposable phishing and malware-delivery infrastructure.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://104.249.10.197/index.php

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000003b2.bin
66a92da36a6894704b2a5d64d3aaa4397c80abb967cc1ab8593208d2d2fb3057		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3B2 1080000 bytes
generic_stage_recovery_000.js
0bfbe97ccdbd9263b00e42bc5d4d684417ea1af0bc49d15d1ebbebbb7969a46d		 deobfuscated-js generic stage recovery percent-decode from raw PDF metadata at offset 0x0 262144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_001.js
af8ce5943635b12fd9ae71903ff90a7e65ca6344acffa24d56f71f622ec4e632		 deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x0 at offset 0x0 262144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
icc_00_off000001cf.icc
d9f822e8083f2f4d1c91e887454be5f75e8c7144b2853408f361e3c4a7a6b36d		 pdf-icc-profile PDF ICC profile at offset 0x1CF 536 bytes
font_00_sfnt_off0007ea65.bin
e70c728c082c7d11dff847d3079feedae84aa0abf1702e7285a5780abb9cba64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EA65 64700 bytes
font_01_sfnt_off000892f9.bin
9a862f972b29042f808799e693c1ebfe36d9a9384f0f598c1dae2b1debae2d06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x892F9 29892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.