Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0096213a5e73291…

MALICIOUS

PDF

489.6 KB Created: 2008-11-24 08:01:49 +01:00 Authoring application: RELDP 2009 v7pdf (41464 - Draft, VersiForm) (via DocuCom PDF Driver 8.00 for NT) First seen: 2026-05-09
MD5: 02ce082f79573dbae9a29036ce5daeb8 SHA-1: aecdae004beced4fbc95bf621a775ab5f0540c97 SHA-256: b0096213a5e73291c7f88c3979237854cb4a9ead52ad81c6dba777ed87f64b00
78 Risk Score

🔏 Digital signature Modified after signing

A signature covers the whole signed byte range — PDF JavaScript is never signed on its own — and does not by itself mean the document is safe.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8288

Heuristics 6

  • Active content added after the PDF was signed medium PDF_SIGNATURE_POST_SIGN_MODIFICATION
    An incremental update appended AFTER the signed byte range introduces active content (/JavaScript, /JS, /AA). Some of this can occur in legitimate form-fill (field scripts, a rewritten /Catalog), so it is suspicious rather than damning — but it is content the signer did not approve.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype Referenced by PDF JavaScript
    • http://www.monotype.comhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • http://www.monotype.comHowardReferenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • https://www.verisign.com/rpaReferenced by PDF JavaScript
    • http://ocsp.verisign.com/ocsp/status0Referenced by PDF JavaScript
    • https://www.verisign.com/rpa0Referenced by PDF JavaScript
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0Referenced by PDF JavaScript
    • http://www.microsoft.com/typographyReferenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlNOTIFICATIONReferenced by PDF JavaScript
    • https://www.verisign.com/repository/RPA0Referenced by PDF JavaScript
    • https://www.verisign.com/repository/CPSReferenced by PDF JavaScript
    • https://www.verisign.comReferenced by PDF JavaScript
    • https://www.verisign.com/repository/verisignlogo.gif0Referenced by PDF JavaScript
    • https://www.verisign.com/CPSReferenced by PDF JavaScript
    • http://www.microsoft.com/truetype/0Referenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_couriernew.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0581_000.js pdf-javascript-stream PDF /JS object 581 at offset 0x5F37 242 bytes
SHA-256: cfcec381f8bf0646cd3df803cdd51dc502f082522034131621be5106adf7485c
Preview script
First 1,000 lines of the extracted script
//vraci true pokud najde znak char v retezci values. jinak false;
function charIn(ch, values)
{
    for ( var t = 0; t < values.length; t++)
    {
        if ( ch == values.substr(t,1)) { return true; }
    }
    return false;
}
javascript_obj0590_001.js pdf-javascript-stream PDF /JS object 590 at offset 0x61E1 37 bytes
SHA-256: 5933ca82ad3e6bb3ddfba3ac8d6a529892142da6d5bcaf33ae2486d238cc5aae
Preview script
First 1,000 lines of the extracted script
function TFNK(bs,bt,bc)
{

}
javascript_obj0597_002.js pdf-javascript-stream PDF /JS object 597 at offset 0x6350 256 bytes
SHA-256: db645969c141056ae93808bf6dfe857a11e9360547adeb24d5a3631692c5b77a
Preview script
First 1,000 lines of the extracted script
function TFANP(bv,bf,bn,bc)
{
 
}

var TF_SPECIAL="@#$%&()*+-,./;:";

if(!TF_ALPHA||!TF_ALPHA.length)
 TF_ALPHA=" ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzA��A�AA�E�E�I��I.NO��O�OU�U��.�a��a�aa�e�e�i��i.no��o�ou�u��.\r\n";
javascript_obj0888_003.js pdf-javascript-stream PDF /JS object 888 at offset 0x297F0 57 bytes
SHA-256: f2b333f0c9e4ef37ebf7da291342abeb95f847bba92b3c4147f1356b08971fc7
Preview script
First 1,000 lines of the extracted script
//this.getField("b12c96nfPrijmeni").setFocus();
javascript_obj0893_004.js pdf-javascript-stream PDF /JS object 893 at offset 0x29E1A 36 bytes
SHA-256: 022fdac1f75a7ab94bc7f61a4b3587a030ec02eca5cb1fc3e9cbae6d1fce704e
javascript_obj0902_005.js pdf-javascript-stream PDF /JS object 902 at offset 0x2A36B 66 bytes
SHA-256: 2a6fef7fa7b08b1d453dfddac9a45a4cd9d5795586c0b0d781c1033e27d882ca
Preview script
First 1,000 lines of the extracted script
oddo("b12c96nfVCod", "b12c96nfVCdo", "b12c96nfZapDny",0)
javascript_obj0903_006.js pdf-javascript-stream PDF /JS object 903 at offset 0x2A3E1 130 bytes
SHA-256: d01b44ce3b05afa71d61b1314f5ab9e9a417df4a7b04f6f9b10a6e8c48ac97ad
Preview script
First 1,000 lines of the extracted script
var year = this.getField("b12c96nfRok");
if (year.value=="")
{
  app.alert("Mus�te vyplnit rok!",1,0);
  year.setFocus();
}
javascript_obj0904_007.js pdf-javascript-stream PDF /JS object 904 at offset 0x2A49F 81 bytes
SHA-256: 94eea748a6cea27ca19d8e4cfe4a7fc3f492c8bd457d11b50ec029d85ef31c9c
Preview script
First 1,000 lines of the extracted script
oddo("b12c96nfVCod", "b12c96nfVCdo", "b12c96nfZapDny", 1)
javascript_obj0917_008.js pdf-javascript-stream PDF /JS object 917 at offset 0x2AD6E 64 bytes
SHA-256: 6740a7f5aa2a036211c944166a16e9907c4500e9c5e83eea96e31189b504c378
Preview script
First 1,000 lines of the extracted script
oddo("b12c96nfVCod_2", "b12c96nfVCdo_2", "b12c96nfZapDny_2",0)
javascript_obj0919_009.js pdf-javascript-stream PDF /JS object 919 at offset 0x2AE98 64 bytes
SHA-256: a119d21406cd732371ccce6b74d89683ff95bc8b862877d382b8a6d9db71cfa6
Preview script
First 1,000 lines of the extracted script
oddo("b12c96nfVCod_2", "b12c96nfVCdo_2", "b12c96nfZapDny_2",1)
javascript_obj0925_010.js pdf-javascript-stream PDF /JS object 925 at offset 0x2B2BF 69 bytes
SHA-256: 831cf2ef45a05d5da6b98c9364a6ff90bf93adcf4385b22218676ed343b12d29
Preview script
First 1,000 lines of the extracted script
vymzak();
this.getField("b12c96nfVymZak_2").alignment = "right";
javascript_obj0926_011.js pdf-javascript-stream PDF /JS object 926 at offset 0x2B336 110 bytes
SHA-256: a82ec1938a67ea955cb49c3b582aafc3ce0a747792933e0984bc1ce8d919c2f7
Preview script
First 1,000 lines of the extracted script
this.getField("b12c96nfVymZak_2").alignment = "left";
this.getField("b12c96nfVymZak_2").alignment = "left";
javascript_obj0932_012.js pdf-javascript-stream PDF /JS object 932 at offset 0x2B71F 64 bytes
SHA-256: a2026eaded872d408de1a0727d59b2a14e5cda0f8e2eab6818b91f6fd62e8a26
Preview script
First 1,000 lines of the extracted script
oddo("b12c96nfVCod_3", "b12c96nfVCdo_3", "b12c96nfZapDny_3",0)
javascript_obj0934_013.js pdf-javascript-stream PDF /JS object 934 at offset 0x2B849 64 bytes
SHA-256: 7b89437e0442a88faa488bbb58c03bb421bfc737430918f370b174b3edb629d8
Preview script
First 1,000 lines of the extracted script
oddo("b12c96nfVCod_3", "b12c96nfVCdo_3", "b12c96nfZapDny_3",1)
javascript_obj0940_014.js pdf-javascript-stream PDF /JS object 940 at offset 0x2BC72 69 bytes
SHA-256: c3e2392d693892f0030f19c4b43a693f9a443a73a42b2bb7d225c3ac271980c0
Preview script
First 1,000 lines of the extracted script
vymzak();
this.getField("b12c96nfVymZak_3").alignment = "right";
javascript_obj0941_015.js pdf-javascript-stream PDF /JS object 941 at offset 0x2BCE9 110 bytes
SHA-256: 0d70bcd1df805b4b019a399ee49bb4bfbdc6fd825d37d2fa02fd867c6d2650e7
Preview script
First 1,000 lines of the extracted script
this.getField("b12c96nfVymZak_3").alignment = "left";
this.getField("b12c96nfVymZak_3").alignment = "left";
javascript_obj0944_016.js pdf-javascript-stream PDF /JS object 944 at offset 0x2BF85 49 bytes
SHA-256: 5917f27db86b92b79537cfa334727ac95a1009b0f3e56d98fa01107a42434ec5
Preview script
First 1,000 lines of the extracted script
this.getField("b12c96nfDatVyhELDP").setFocus;
javascript_obj0022_020.js pdf-javascript-stream PDF /JS object 22 at offset 0x2E45A 57 bytes
SHA-256: 5ec848ad6ef70ea6201cd4fed778e5d7484cc628574e50642d3be469cdab1bdb
Preview script
First 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/>
TFANP(0,1,0,0);
javascript_obj0023_021.js pdf-javascript-stream PDF /JS object 23 at offset 0x2E4C6 99 bytes
SHA-256: 4d75f414b1ca527a9a418178d2f9383f5bc446a8e656b331266d67bfe924b2a9
Preview script
First 1,000 lines of the extracted script
kstroke(0,1,"+sdpmnrabcdefSDPMNRABCDEF");
event.change = event.change.toUpperCase();
javascript_obj0028_022.js pdf-javascript-stream PDF /JS object 28 at offset 0x2E8C2 51 bytes
SHA-256: e59e16daf6a5ad36f09de162318ff1a6d7308aefa76f056dfb911d3591738eb7
Preview script
First 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/>
TFANP(0,1,0,0);
javascript_obj0029_023.js pdf-javascript-stream PDF /JS object 29 at offset 0x2E922 51 bytes
SHA-256: 85fa3db4d3b889053dfa749c6089d8a98c65fe129dab4139b0647470c85353e6
Preview script
First 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/>
TFANP(1,0,0,0);
javascript_obj0035_025.js pdf-javascript-stream PDF /JS object 35 at offset 0x2EBA1 91 bytes
SHA-256: 54ca76c214d8e79e4ddc1eb463fec3531d3b113d2976de190663a4de3758281c
Preview script
First 1,000 lines of the extracted script
kstroke(0,1,"+sdpmnrabcdefSDPMNRABCDEF");
event.change = event.change.toUpperCase();
javascript_obj0037_026.js pdf-javascript-stream PDF /JS object 37 at offset 0x2ED23 38 bytes
SHA-256: ae95d6581723cae0c2c1e3044a60f6c91e032264799b53449cd6269e6993d7bc
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(0, 0, 0, 0, "", true);
javascript_obj0049_029.js pdf-javascript-stream PDF /JS object 49 at offset 0x2F2E9 48 bytes
SHA-256: 3f5b948245d466b4589d006687ffd3524f59a9965170729175cb5bd633b59ca6
Preview script
First 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/>
TFNK(0,1,0);
javascript_obj0060_030.js pdf-javascript-stream PDF /JS object 60 at offset 0x2FFD5 39 bytes
SHA-256: ec2a2053e3b84f56547297825efbc1437665e1884725db8d77e914a1ce3cc9f7
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(0, 1, 1, 0, "", false);
javascript_obj0084_031.js pdf-javascript-stream PDF /JS object 84 at offset 0x31152 44 bytes
SHA-256: b59826645745de2a2451953793ba6d111f30741fa33fc89421e5b9ba47e5767d
Preview script
First 1,000 lines of the extracted script
event.value = formatt(event.value, 3, " ")
javascript_obj0136_035.js pdf-javascript-stream PDF /JS object 136 at offset 0x335CD 41 bytes
SHA-256: 617ef4da07d9bc9d4e06a2320fe0d4cbacd3d6c2cc82039cf4e79e7facf7545f
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(0, 0, 0, 0, "", true);
javascript_obj0162_037.js pdf-javascript-stream PDF /JS object 162 at offset 0x34965 41 bytes
SHA-256: 3e3d0e421d915769fa631911550fb2593579e6bb9a99fb9158381ac8e8f07fe2
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(0, 1, 0, 0, "", true);
javascript_obj0197_039.js pdf-javascript-stream PDF /JS object 197 at offset 0x3643E 48 bytes
SHA-256: 57a5ede2bbb812b0e91f49bc7f70a9b8aa69e02d7d36a4cd9d9c1cfafdbbb257
Preview script
First 1,000 lines of the extracted script
// <cardiff:dbtype name="text"/>
TFNK(1,1,0);
javascript_obj0267_040.js pdf-javascript-stream PDF /JS object 267 at offset 0x39919 42 bytes
SHA-256: 40af22c566b45f66fde72d79348c326b8e7933a50e8c3ad3de475195aac9dacb
Preview script
First 1,000 lines of the extracted script
AFNumber_Keystroke(0, 1, 1, 0, "", false);
javascript_obj0293_041.js pdf-javascript-stream PDF /JS object 293 at offset 0x3ACEA 38 bytes
SHA-256: d01aa0c07a077ec23f69b8fd9ccdaa6826882e0b2e7e446039ebdd1d983fffcc
Preview script
First 1,000 lines of the extracted script
AFNumber_Format(0, 1, 0, 0, "", true);
javascript_obj0349_042.js pdf-javascript-stream PDF /JS object 349 at offset 0x3D973 68 bytes
SHA-256: 1a21e7fdc3c88a60142a82274de85f91d7ad2a2f79a270ff578e3c3ae8198619
Preview script
First 1,000 lines of the extracted script
kstroke(0,1,"");
event.change = event.change.toUpperCase();