Malicious PDF — malware analysis report

Static analysis result for SHA-256 e469577006753efb…

MALICIOUS

PDF

41.0 KB First seen: 2026-05-11
MD5: 9a53df1479086ad83325f3c2913edcc3 SHA-1: 8bd33a3e15eac02ddf0124cfaabfcaee8195bfd5 SHA-256: e469577006753efbdabf904fef12423652d3e46109a53333d79df56a68c8e0f1
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file is encrypted and contains an OpenAction, which is a common technique to obscure malicious content from static analysis. The heuristic 'PDF_ENCRYPTED_WITH_JS' indicates that JavaScript may be involved in the obfuscation or execution of the payload. The 'PDF_IMAGE_ONLY_LURE' heuristic suggests the document's content is presented as an image to bypass text-based analysis and potentially trick the user. Without further script analysis or extracted URLs, the exact payload and delivery mechanism remain unclear, leading to a lower confidence score.

Machine Learning

  • Nyx PDF Classifier clean score 0.0262

Heuristics 3

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0080_002.js pdf-javascript-stream PDF /JS object 80 at offset 0x5A69 40 bytes
SHA-256: 8989156e0f24047d2839dcbaed7792336dc870f1247937743c018c2d7d428bf2
Preview script
First 1,000 lines of the extracted script
this.getField("scrutateur").setFocus();
javascript_obj0086_003.js pdf-javascript-stream PDF /JS object 86 at offset 0x6423 78 bytes
SHA-256: a6248cb417d3a27fc2836456470d337976c0d1432150f2ad7ce8bc6ad1065fd0
Preview script
First 1,000 lines of the extracted script
obtenirMessage("messageInfo_cliquez");
this.getField("president").setFocus();
javascript_obj0097_004.js pdf-javascript-stream PDF /JS object 97 at offset 0x6AAC 62 bytes
SHA-256: ec0291f72448d57d21a1f84630a648849c2a0d442a85c789f0f10b827f9083b7
Preview script
First 1,000 lines of the extracted script
if(event.value){event.value = util.printx(">*",event.value);}
javascript_obj0107_005.js pdf-javascript-stream PDF /JS object 107 at offset 0x6E22 37 bytes
SHA-256: ea259f6281e66629fa1f3e0a7ab4b6880d7627c43718a284b67628977c797989
Preview script
First 1,000 lines of the extracted script
obtenirMessage("messageInfo_imp11");
javascript_obj0111_006.js pdf-javascript-stream PDF /JS object 111 at offset 0x72BC 105 bytes
SHA-256: 91a1df531d91cf7b649b2ad4ba0ad99ba3bfcb256685859dc59107549ab67a18
Preview script
First 1,000 lines of the extracted script
if(obtenirMessage("messageAvis_effacer") == 4)
{
	resetForm();
	this.getField("president").setFocus();
}
javascript_obj0115_007.js pdf-javascript-stream PDF /JS object 115 at offset 0x77B8 37 bytes
SHA-256: 1f440ab05a7c603edbd1bdce697a1731d4f7e38170d9e6f0d0d16a6df0490ff8
Preview script
First 1,000 lines of the extracted script
this.getField("cliquez").setFocus();
javascript_obj0120_008.js pdf-javascript-stream PDF /JS object 120 at offset 0x78FB 206 bytes
SHA-256: 1c51f00ff2a9097ba85afb7c805b14e4fe8a83faca57b44469e03f7abd5435db
Preview script
First 1,000 lines of the extracted script
if ( typeof x == "undefined" )
   {
   if (app.viewerVersion < 5.05)
      obtenirMessage("messageErreur_reader");
   else
      {
      var x = 1;
      this.getField("president").setFocus();
      }
   }
javascript_obj0154_009.js pdf-javascript-stream PDF /JS object 154 at offset 0xCA33 35 bytes
SHA-256: 8dc02ba48d6c20bb5007c9432fec9ec2c52bca2a4362d6c478bac61a663f3a6f
Preview script
First 1,000 lines of the extracted script
this.getField("reset").setFocus();
javascript_obj0148_010.js pdf-javascript-stream PDF /JS object 148 at offset 0xB55D 10239 bytes
SHA-256: 88b7de31649d8aee1ab443d061645e29cd733ffa22439dd9a4208e121c7f4bb8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function autoTab(champSuivant)
   {
   if (event.rc && AFMergeChange(event).length == event.target.charLimit)
      this.getField(champSuivant).setFocus();
   }

function validerNoDossier()
   {
   var position = event.selStart + 1;

   if (position == 1 || position == 2)
      validerAlpha();
   else
      validerNum();
   }

function annulerDernierEvnmt()
      {
      app.beep(0);
      event.rc = false;
      return false;
      }

function validerHeure()
{
	if (event.value)
	{
  		var heure = event.value;
		if (heure > 2400 || heure.length<4)
    	{
    		obtenirMessage("messageErreur_heure");
     	event.rc = false;
    	}
	}
}

function formaterHeure()
{
	if (event.value) event.value = util.printx("99 h 99", event.value);
}

function validerNum(car)
   {
   var cValid = "0123456789" + (typeof car == "string" ? car : "");
   numValide = true;
   
   if (cValid.indexOf(event.change) == -1)
      numValide = annulerDernierEvnmt();
   else
      numValide = true;

   return numValide;
   }


function validerAlpha(car)
   {
   var cValid = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" + (typeof car == "string" ? car : "");
   alphaValide = true;

   if (cValid.indexOf(event.change) == -1)
      alphaValide = annulerDernierEvnmt();
   else
      alphaValide = true;
   
   return alphaValide;
   }
   
   
   
function validerAlphaNum(car)
   {
   var cValid = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" + (typeof car == "string" ? car : "");
   alphaNumValide = true;

   if (cValid.indexOf(event.change) == -1)
      alphaNumValide = annulerDernierEvnmt();
   else
      alphaNumValide = true;

   return alphaNumValide;
   }



function validerCodePostal()
   {
   var position = event.selStart;
   var codePostalValide = true;
   
   if(!event.willCommit)
      if(position % 2 == 0)
         validerAlpha();
      else
         validerNum();
   else
      if(!validerCP())
         {
         obtenirMessage("messageErreur_cp");
         event.value = "";
         event.target.setFocus();
         codePostalValide = false;
         }

   return codePostalValide;
   }



function validerCP()
   {
   var codePostalValide   = true;
   var carInvalide        = /[dfioquDFIOQU]/g;
   var premierCarInvalide = /^[wzWZ]/;
   
   if(event.value)
      if(event.value.search(carInvalide) != -1 || event.value.search(premierCarInvalide) != -1 || event.value.search(/\D\d\D\d\D\d/))
         codePostalValide = false;

   return codePostalValide;
   }



function formaterCodePostal()
   {
   event.value = util.printx(">A9A 9A9",event.value);
   }



function validerDate(format)
   {
   date = event.value; dateValide = true;
   jourDansMois = new Array("31","29","31","30","31","30","31","31","30","31","30","31");
   annee = format == "amj" || format == "am" ? /^(\d{4})\d+/     : format == "ma"  || format == "jma" ? /\d+(\d{4})$/ : 0;
   mois  = format == "amj" || format == "am" ? /\d{4}(\d{2})\d*/ : format == "mj"  || format == "ma" ? /^(\d{2})\d+/  : /\d{2}(\d{2})\d*/;
   jour  = format == "amj" || format == "mj" ? /\d+(\d{2})$/     : format == "jma" || format == "jm" ? /^(\d{2})\d+/  : 0;

   if (date)
      if(date.length != event.target.charLimit)
         dateValide = false;
      else
         {
         if((mois ? retournerStr(date,mois) > 12 || retournerStr(date,mois) < 1 : false) || (annee ? !retournerStr(date,annee) : false))
            dateValide = false;
         else if(jour)
            if (retournerStr(date,mois) != 2 || (!annee))
               dateValide = retournerStr(date,jour) > jourDansMois[retournerStr(date,mois)-1] ||
               !retournerStr(date,jour) ? false : true;
            else
               dateValide = retournerStr(date,jour) > jourDansFevrier(retournerStr(date,annee)) ||
               !retournerStr(date,jour) ? false : true;
         }

   if(!dateValide) {event.rc = false; obtenirMessage("messageErreur_"+format);} return dateValide;
   }

function jourDansFevrier(annee)
   {
   return (((annee % 4 == 0) && ((!(annee % 100 == 0)) || (annee % 400 == 0))) ? 29 : 28 );
   }

function retournerStr(date,regExp)
   {
   return parseInt(date.replace(regExp,"$1"),10);
   }



function formaterDate(str)
   {
   j = m = "99"; a = "9999"; tiret = "-"; format = "";
   for(var i = 0; i < str.length*2-1; i++) format += i % 2 ? tiret : eval(str.substr(i/2,1));
   if(event.value) event.value = util.printx(format,event.value);
   }


function formaterDate2()
   {
   event.value = util.printx("9999  99   99", event.value);
   }



function validerNas()
{
var intPreuve = 0, intTmp = 0, strNAS = event.value;
var nasValide = true;

if (strNAS != "")
	{
	if (parseInt(strNAS.charAt(0)) != 0)
		{
		for (var i = 0; i < 8; i++)
			{
      		intTmp = parseInt(strNAS.charAt(i));
	        if ((i + 1) % 2 == 0)
	        	{
	        	intTmp = intTmp * 2;
	        	if (intTmp > 9)
	            	intTmp = (intTmp % 10) + 1;
	        	}
	         intPreuve = intPreuve + intTmp;
	         }

		intPreuve = 10 - (intPreuve % 10);
		if (intPreuve == 10)
		intPreuve = 0;
		}
	if (strNAS.charAt(8) != intPreuve || strNAS.length != 9 || parseInt(strNAS.charAt(0)) == 0)
		{
		nasValide = false;
		event.rc = false;
		obtenirMessage("messageErreur_nas");
		}
	return nasValide;
	}
}

function formaterNas()
   {
   event.value = util.printx("999 999 999",event.value);
   }



function validerTel()
   {
   var tel = util.printx("9999999999", event.value);
   var telValide = true;
   var messageErreur = arguments.length ? "messageErreur_" + arguments[0] : "messageErreur_tel";

   if (tel.length != 10 && tel.length != 7 && tel.length != 0)
      {
      telValide = false;
      event.rc = false;
      obtenirMessage(messageErreur);
      }
   return telValide;
   }



function validerFax()
   {
   validerTel("fax");
   }



function formaterTel()
   {
   format = event.value.length == 10 ? "(999) 999-9999" : "999-9999";
   if (event.value) event.value = util.printx(format, event.value);
   }



function colorerChamp(colorSpace, c1, c2, c3)
   {
   f = event.target;
   if(arguments.length == 1) /*Valeur par d�faut*/ {c1 = 0; c2 = 0; c3 = 255; c4 = 1;} else c4 = c1;

   switch(colorSpace)
      {
      case "RGB"   : c1 = c1/255; c2 = c2/255; c3 = c3/255;
                     break;
      case "T"     : c1 = ""; c2 = ""; c3 = "";
                     break;
      case "G"     : c1 = c4/255; c2 = ""; c3 = "";
                     break;
      }

   f.strokeColor = [colorSpace, c1, c2, c3];
   f.lineWidth = 1;
   f.borderStyle = border.s;
   }



function activerChamp(champ)		//Pour les bouton d'aide, apr�s obtenirMessage("...
   {
   var champActiver = arguments.length ? champ : event.target.name.substr(5);
   this.getField(champActiver).setFocus();
   }



function reporterChamp(valeur)		//Pour les champ report�, dans l'onglet Valider
   {
   var valeurRep = arguments.length ? valeur : event.value;
   this.getField("rep_" + event.target.name).value = valeurRep;
   }



function gererAffichageBulle()
   {
   var bulle = this.getField("text_" + event.target.name);
   var evnmt = event.name;

   switch(evnmt)
      {
      case "Focus"       : bulle.display = display.noPrint;
                           break;
                           
      case "Mouse Enter" : bulle.display = display.noPrint;
                           break;
                           
      case "Blur"        : bulle.display = display.hidden;
                           break;
                           
      case "Mouse Exit"  : bulle.display = display.hidden;
                           break;

      }
   }

// "valeur" est le nombre "non-format�" re�u en param�tre.
// Par d�faut: event.value

// "nb_Decimales" sp�cifie le nombre de d�cimale que le nombre doit avoir � la sortie.
// Par d�faut, il y en aura 2.

// "separateur" est le caract�re utilis� pour s�parer les groupes de trois chiffres, les milliers.
// Pour ne pas en mettre : "", par d�faut, c'est l'espace;

// "carAAjouter" sont les caract�res qu'il est possible d'ajouter au nombre AVANT ou APR�S le nombre... 
// selon le param�tre "endroit" qui peut �tre sp�cifi� � 1 pour AVANT.
// Par d�faut, les carAAjouter, � "" par d�faut, sont plac�s APR�S(2).

function formaterArgent()
{
	return formaterNombre(event.value,2,","," "," $",2);
}

function formaterNombre(valeur,nb_Decimales,sep_Dec,sep_Milliers,carAAjouter,endroit)
{
	if (typeof valeur		=="undefined") {valeur = event.value;}
		else if(valeur == ".") {valeur = 0;}
	if (typeof nb_Decimales	=="undefined") {nb_Decimales = 2;}
	if (typeof sep_Dec	=="undefined") {sep_Dec = ",";}
	if (typeof sep_Milliers	=="undefined") {sep_Milliers =" ";}
	if (typeof carAAjouter	=="undefined") {carAAjouter = "";}
	if (typeof endroit	=="undefined") {endroit = 2;}

	var facteur = "1";
	for (var i=0;i<nb_Decimales;i++)
	{
		facteur += "0";
	}
	facteur = facteur*1;

	var resultat = valeur * facteur;
	resultat = Math.round(resultat);
	resultat = resultat/facteur;

	str_Resultat = resultat.toString();

	var posPoint = str_Resultat.indexOf(".");
	if (posPoint == -1 && nb_Decimales)
	{
		str_Resultat += ".";
		posPoint = str_Resultat.length-1;
	}
	var longueur = str_Resultat.length;
	nbCAP = longueur - (posPoint+1);
	for(var i = nbCAP;i<nb_Decimales;i++)
	{
		str_Resultat += "0";
	}		


	if(sep_Milliers !="")
	{
		var dernierEntier = posPoint == -1 ? str_Resultat.length-1 : posPoint-1;
		if (dernierEntier>2)
		{
			var car = "";
			var cpt3 = 0;
			resultat = str_Resultat.substr(dernierEntier,nb_Decimales+2);
			for (var i = dernierEntier-1;i>=0;i--)
			{	
				if(cpt3==2)
				{
					resultat = sep_Milliers + resultat;
					cpt3=0;
				}
				else 
				{
					cpt3++;
				}
				resultat = str_Resultat.substr(i,1)+ resultat;
			}
		}
		else
		{
			resultat = str_Resultat;
		}
	}
	else
	{
		resultat = str_Resultat;
	}
	
	if(carAAjouter)
	{
		emplacement = endroit == 1 ? 1:2;
		switch(emplacement)
		{
		case 1: resultat = carAAjouter + resultat;
			  break;
		case 2: resultat = resultat + carAAjouter;
		}	
	}
	if(sep_Dec==","){resultat = resultat.replace(".",",");}
	return resultat;
}

function validerArgent()
{
	if(event.value.indexOf(".") == -1)
	{
		validerNum(".");
	}
	else
	{
		validerNum();
	}
}
javascript_obj0149_011.js pdf-javascript-stream PDF /JS object 149 at offset 0xC1A2 3517 bytes
SHA-256: 41ec51841d5b43d22af3c7f0f1b101ac4f153dda663e18ffd5b9d8abb6143437
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function obtenirMessage(message)
   {
	messageInfo_cliquez  = "BESOIN D'AIDE ?\nCliquez sur les hyperliens.\n\nNAVIGATION\nUtilisez la touche de tabulation.\n\nMISE EN FORME DE CERTAINS CHAMPS\nMise en forme automatique : date, num�ro d'assurance sociale, code postal et num�ro de t�l�phone (ne tapez que les caract�res essentiels, sans tiret, espace ou barre oblique).\n\nIMPRESSION\nUtilisez les boutons au bas du formulaire.\n\nD�CIMALES\nUtilisez le point et non l'espace ou la virgule.";
   	messageInfo_amj      = "Entrez la date sous la forme � AAAAMMJJ �. Par exemple,\npour inscrire le 26 mars 2005, tapez � 20050326 �.";
   	messageInfo_mj       = "Entrez la date sous la forme � MMJJ �. Par exemple,\npour inscrire le 26 mars, tapez � 0326 �.";
   	messageInfo_am       = "Entrez la date sous la forme � AAAAMM �. Par exemple,\npour inscrire le mois de mars 2005, tapez � 200503 �.";
   	messageInfo_tel      = "N'inscrivez que les chiffres de l'indicatif r�gional et du num�ro de t�l�phone. Ils seront mis en forme automatiquement.";
	messageInfo_heure    = "Entrez l'heure sous la forme � HHMM �. Par exemple, \npour inscrire 9h05, tapez � 0905 �." 
	messageInfo_imp14    = "Prenez soin de sp�cifier le format de papier appropri� pour l'impression du document, soit � 8� X 14 � (Legal US)."  	
	messageInfo_imp11    = "Prenez soin de sp�cifier le format de papier appropri� pour l'impression du document, soit � 8� X 11 � (Lettre US)."  	
	messageAvis_barrer   = "Sauvegarde avec protection du document. Vous ne pourrez que consulter et imprimer le document.\n\nVoulez-vous continuer?";
	
   	messageAvis_effacer  = "                                        Tout effacer ?                                    \n\nVoulez-vous vraiment effacer toutes les donn�es inscrites sur le formulaire ?";
   	messageErreur_amj    = "Date invalide. Vous devez respecter le format � AAAAMMJJ �\n(par ex., tapez � 20050326 � pour inscrire le 26 mars 2005).";
   	messageErreur_am     = "Date invalide. Vous devez respecter le format � AAAAMM �\n(par ex., tapez � 200503 � pour inscrire le mois de mars 2005).";
   	messageErreur_mj     = "Date invalide. Vous devez respecter le format � MMJJ �\n(par ex., tapez � 0326 � pour inscrire le 26 mars).";
   	messageErreur_nas    = "Num�ro d'assurance sociale invalide";
   	messageErreur_cp     = "Code postal invalide";
   	messageErreur_tel    = "Inscription incorrecte : inscrivez TOUS les chiffres de l'indicatif r�gional et du num�ro de t�l�phone.";
   	messageErreur_tel2   = "Valeur incorrecte. Vous devez entrer les sept chiffres, et seulement les sept chiffres, composant le num�ro de t�l�phone.";
   	messageErreur_fax    = "Inscription incorrecte : inscrivez TOUS les chiffres de l'indicatif r�gional et du num�ro de t�l�copieur.";
   	messageErreur_reader = "La version d'Acrobat Reader que vous utilisez est ant�rieure � celle requise (4.05). Des erreurs peuvent survenir. T�l�chargez la plus r�cente version (www.adobe.com), ou imprimez le formulaire et remplissez-le � la main.";
   	messageErreur_heure  = "Heure invalide. Vous devez respecter le format � HHMM �.\nPar exemple, pour inscrire 9 heures et 5 minutes, tapez � 0905 �."
	messageErreur_pw     = "Vous n'�tes pas autoris� ou vous avez le mauvais mot de passe.";	
	
  	if(message.search(/messageInfo/g) != -1)
    	return app.alert(eval(message),4); 
   	else if(message.search(/messageAvis/g) != -1) 
      	return app.alert(eval(message),1,2);
   	else
     	return app.alert(eval(message),1);
   }
font_00_cff_off0000cad2.bin pdf-font-stream PDF embedded font (cff) at offset 0xCAD2 1727 bytes
SHA-256: 55755829f9a5758fda88a297e902af710fbbf22cb76c21c5b1d18ccc8ddf10c0
font_01_cff_off0000d0df.bin pdf-font-stream PDF embedded font (cff) at offset 0xD0DF 2508 bytes
SHA-256: 26c20047e987aa408d1cfb719de5adb97c3d71ffa7da9d5753b409594fffc492
font_02_cff_off0000da07.bin pdf-font-stream PDF embedded font (cff) at offset 0xDA07 1406 bytes
SHA-256: 7df8c2693a65acebd3f39ac471283ed5a5c344f90f6867811b626b6a8177eb69
font_03_cff_off0000df84.bin pdf-font-stream PDF embedded font (cff) at offset 0xDF84 1114 bytes
SHA-256: c94f4c2931ef64ef1aac13c58c0665f682793edb004349704c208fdaa89f1f5d

Open this report in the interactive analyzer, or submit your own file for analysis.