PDF malware analysis — malicious · 9a0abfdf0200720b

MALICIOUS

PDF

506.8 KB Created: 2000-11-09 15:39:24 UTC Authoring application: PDF-XChange Viewer [Version: 2.0 (Build 48.0) (Mar 2 2010; 21:26:42)] First seen: 2026-05-10

MD5: 2ffc14295dbfb8219195deee5ac93238 SHA-1: b152b505491acabf2aa2de8837ae7fb2ec5ae772 SHA-256: 9a0abfdf0200720b8b4dbc679ae6f512f11ee110e2c5571330c56e9d632622df

72 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams and an XFA form, indicating an attempt to execute malicious code upon opening or interaction. The presence of PDF_JAVASCRIPT and PDF_JS heuristics strongly suggests the embedded JavaScript is intended to be executed. While the document body appears to be a legitimate form, the embedded scripts and XFA structure are suspicious. The exact intent of the JavaScript is unclear due to obfuscation, but it likely aims to download and execute a second-stage payload or exploit a vulnerability.

Machine Learning

Nyx PDF Classifier malicious score 0.8402

Heuristics 6

JavaScript action low 1 related finding PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://policyworks.gov In PDF document text
- http://policy)TjReferenced by PDF JavaScript
- http://www.w3.org/1999/xhtmlIn PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- https://www.verisign.com/repository/RPA0In PDF document text
- https://www.verisign.com/repository/CPS��In PDF document text
- https://www.verisign.comIn PDF document text
- https://www.verisign.com/repository/verisignlogo.gif0�In PDF document text
- https://www.verisign.com/CPSIn PDF document text
- https://www.verisign.com/repository/CPSIn PDF document text
- http://www.microsoft.com/truetype/0In PDF document text

Extracted artifacts 24

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0171_000.js`	pdf-javascript-stream	PDF /JS object 171 at offset 0x12E16	74 bytes
SHA-256: `38ccb4d7f05fa9595ac2ef8b06d73686a432e5420d8ca4545c18b169faba434c`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("Matl OH Rate %", "Matl OH Base $"));
`javascript_obj0172_001.js`	pdf-javascript-stream	PDF /JS object 172 at offset 0x12E91	38 bytes
SHA-256: `7c4dd28c53c2b7393848eb74d5a6380f39f8138fb652c6c1ec9269410e833b31`
Preview script First 1,000 lines of the extracted script AFNumber_Format(2, 0, 3, 0, "", true);
`javascript_obj0173_002.js`	pdf-javascript-stream	PDF /JS object 173 at offset 0x12EE6	41 bytes
SHA-256: `3c43d3a6c5aa8c8cec3b9ce00c6c3c43eb7f0b24d16f6054b313fbc804cbbcb5`
Preview script First 1,000 lines of the extracted script AFNumber_Keystroke(2, 0, 3, 0, "", true);
`javascript_obj0179_003.js`	pdf-javascript-stream	PDF /JS object 179 at offset 0x132B4	66 bytes
SHA-256: `95e62aaa44e5d21cd3427c74577cf2d42131189eee2ba4dbf3c7f25018e8990a`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("OH Rate 2", "Base Rate 2"));
`javascript_obj0183_004.js`	pdf-javascript-stream	PDF /JS object 183 at offset 0x13522	66 bytes
SHA-256: `98de6b3aaf201596c9f81dbfb221037a789b41c13f5a4cc36abae8802ef17334`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("OH Rate 1", "Base Rate 1"));
`javascript_obj0187_005.js`	pdf-javascript-stream	PDF /JS object 187 at offset 0x13790	66 bytes
SHA-256: `69fc0f207ff4ee6c9d6964a37851b6eea540d5cd06bde20cd98abd1f1853a712`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("Est Hrs 2", "Hrly Rate 2"));
`javascript_obj0193_006.js`	pdf-javascript-stream	PDF /JS object 193 at offset 0x13B12	70 bytes
SHA-256: `8f1fb9a61e76a902115a9519357109c30348adf2e0a7aa1ab9cd2dcf6fd80ff1`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("4 Est Cost 1", "4 Est Cost 2"));
`javascript_obj0197_007.js`	pdf-javascript-stream	PDF /JS object 197 at offset 0x13D82	223 bytes
SHA-256: `59c84de5317f642992d88409fe76e928af5e094e87bd05b0901f4b7ba3288cee`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("Direct Matls Total", "Matl OH Total", "Dir Labor Total", "Labor OH Total", "5 Equip Total", "6 Travel Total", "7 Lo-Tier Subs Total", "8 Consultants Total", "9 Other Dir Costs Total"));
`javascript_obj0201_008.js`	pdf-javascript-stream	PDF /JS object 201 at offset 0x14095	104 bytes
SHA-256: `75c3c7b7d13e7a4763c062664ac1b2ef7b4bac78e23e661e9e2e3917b8761275`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("10 Total Price/OH", "11 Genl Admin Total", "12 Royalties Total"));
`javascript_obj0205_009.js`	pdf-javascript-stream	PDF /JS object 205 at offset 0x14331	107 bytes
SHA-256: `c9cdd5b04644472a47f126fd83f72bd2a2a688541c0e72071694265189884db7`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("13 Total Price/Cost", "14 Profit/Fee Total", "15 Facilities Total"));
`javascript_obj0318_014.js`	pdf-javascript-stream	PDF /JS object 318 at offset 0x183A4	38 bytes
SHA-256: `729ca6264168a99bb97c0658554d5b34491e18c8ba65c8fc35d432391343ef33`
Preview script First 1,000 lines of the extracted script AFNumber_Format(2, 0, 0, 0, "", true);
`javascript_obj0319_015.js`	pdf-javascript-stream	PDF /JS object 319 at offset 0x183F9	41 bytes
SHA-256: `a011daa0ff2a361a79751d1cef42de9f50cfaaf7fc839fe5b5e485c7248b809d`
Preview script First 1,000 lines of the extracted script AFNumber_Keystroke(2, 0, 0, 0, "", true);
`javascript_obj0379_018.js`	pdf-javascript-stream	PDF /JS object 379 at offset 0x1BF27	70 bytes
SHA-256: `291cae8d78a6d33f8ca09af74fa9063ddfbbd3afb2fa9ddda5f9075783ef9976`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("1 Est Cost 1", "1 Est Cost 2"));
`javascript_obj0384_019.js`	pdf-javascript-stream	PDF /JS object 384 at offset 0x1C356	66 bytes
SHA-256: `8effecd4ad5c30e137550f7dd1f774b46a9b3dcfb3daafc83bab51a8776709d2`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("Est Hrs 1", "Hrly Rate 1"));
`javascript_obj0388_020.js`	pdf-javascript-stream	PDF /JS object 388 at offset 0x1C5CA	66 bytes
SHA-256: `57e3e3db5dc5b572e3db04fca1834e7fc0d04c7b5386097b70f3e77b310f2b19`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("PRD", new Array ("Est Hrs 3", "Hrly Rate 3"));
`javascript_obj0392_021.js`	pdf-javascript-stream	PDF /JS object 392 at offset 0x1C838	80 bytes
SHA-256: `4c55b47f88f5fcf2ca56aea8d196084af573ea5c5485b549df6aab8be6a13d72`
Preview script First 1,000 lines of the extracted script AFSimple_Calculate("SUM", new Array ("Est Cost 1", "Est Cost 2", "Est Cost 3"));
`stream_093_off00024705.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x24705	39048 bytes
SHA-256: `ad58148a835464b8ea40b7e831878a29ce9d710691677795fae28cf44894e55d`
`stream_094_off0002a618.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x2A618	38796 bytes
SHA-256: `f1e98c80678b402a3800200b0f2955a69fd3d93de38adb68184ad1608d0e105d`
`stream_095_off00030454.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x30454	38380 bytes
SHA-256: `269e7d5444b7bdcc282bf0530ebbe7ebf7b14e85334d0e304b9ad389d66ff391`
`stream_113_off000611c1.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x611C1	90048 bytes
SHA-256: `952ca2e43946ba4316d2ab2cc47eea9cb4dc894101ae517649e2d6215d8cc329`
`font_00_cff_off00036170.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x36170	354 bytes
SHA-256: `6d3bf7ef83b171a9f5e2ab5589c433f1548f47867227b72ff0b3c75d59c1dfb1`
`font_01_cff_off000362ff.bin`	pdf-font-stream	PDF embedded font (cff) at offset 0x362FF	372 bytes
SHA-256: `6ee783fffb2c92254e8a22cb91f44d399b6913609d123e5e9e4589c7dc677be3`
`font_02_sfnt_off000370f0.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x370F0	16256 bytes
SHA-256: `dc71de5809c40de45cfe64e801de32bf78465e826ab4611f6afe5d568216f058`
`font_03_sfnt_off00054f08.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x54F08	20352 bytes
SHA-256: `2f4f5f27d2a9d2f4ac1190938d64e787435d2323ecb062834188079c997a10f3`

Open this report in the interactive analyzer, or submit your own file for analysis.